This Bill
amends the Privacy Act 1988 to implement the
Government’s first stage response to the Australian Law
Reform Commission’s (ALRC) report number 108, called
‘For Your Information: Australian Privacy Law and
Practice’ (ALRC Report). Given the large number of
recommendations, the Government announced that it would respond to
the ALRC report in two stages. The Government’s first
stage response addressed 197 of the ALRC’s 295
recommendations. The Bill implements the major legislative
elements of the Government’s first stage response.

The Bill
amends the Privacy Act to:

Create the
Australian Privacy Principles (APPs), a single set of privacy
principles applying to both Commonwealth agencies and private
sector organisations (referred to as APP entities), which replace
the Information Privacy Principles (IPPs) for the public sector and
the National Privacy Principles (NPPs) for the private
sector

Introduce
more comprehensive credit reporting with improved privacy
protections, at the same time rewriting the credit reporting
provisions to achieve greater logical consistency, simplicity and
clarity and updating the provisions to more effectively address the
significant developments in the operation of the credit
reporting system since the provisions were first enacted in
1990

Introduce
new provisions on privacy codes and the credit reporting code
(called the CR code), including powers for the Commissioner to
develop and register codes in the public interest that are binding
on specified agencies and organisations; and

Clarify
the functions and powers of the Commissioner and improve the
Commissioner’s ability to resolve complaints, recognise and
encourage the use of external dispute resolution services, conduct
investigations and promote compliance with privacy
obligations.

The Bill
introduces modifications to the Act as recommended by the ALRC.
The APPs set out standards, rights and obligations in
relation to the handling and maintenance of personal information by
APP entities, including dealing with privacy policies and the
collection, storage, use, disclosure, quality and security of
personal information, and access and correction rights of
individuals in relation to their personal information. As
recommended by the ALRC, the APPs and credit reporting provisions
are structured to more accurately reflect the ‘life
cycle’ of personal information.

The Bill
introduces a number of additional safeguards for the protection of
privacy, including enhanced notification, quality, correction, and
dispute resolution mechanisms for individuals.

Structure
of the Bill

The
substantive elements of the reforms are contained in six schedules
to the Bill. Each schedule deals with a particular subject
and related matters, including related definitions. The
schedules and their topics are:

Schedule 1
- Australian Privacy Principles

Schedule 2
- Credit reporting

Schedule 3
- Privacy codes

Schedule 4
- Other amendments of the Privacy Act 1988

Schedule 5
- Amendment of other Acts

Schedule 6
- Application, transitional and savings
provisions

Schedule 1
- the Australian Privacy Principles

Schedule
1 of the
Bill amends the Privacy Act to create the APPs, a single set of
privacy principles applying to APP entities, a term that refers to
both Commonwealth agencies and private sector organisations.
To facilitate ease of reference to the APPs and minimise
confusion around numbering that may result if they were sections of
the Act, they are inserted as a schedule to the Act.

The APPs
are grouped into five sets of principles:

Principles
that require APP entities to consider the privacy of personal
information, including ensuring that APP entities manage personal
information in an open and transparent way (APP 1, APP
2)

Principles
about how APP entities deal with personal information and
government related identifiers, including principles about the use
and disclosure (including cross-border disclosure) of personal
information and identifiers (APP 6, APP 7, APP 8, APP
9)

Schedule 1
also deals with a range of amendments relating to the APPs,
including amendments
to update or insert new definitions .
One key term that has been updated is ‘personal
information’.

Schedule 1
also repeals Divisions 2 and 3 of Part III of the Act. These
divisions provide for the application of the IPPs, the NPPs and
approved privacy codes. The IPPs and NPPs will be replaced by
the APPs. A new Part IIIB will be inserted into the Act
dealing with privacy codes.

Schedule 2
- Credit Reporting

The
Privacy Amendment Act 1990 , which commenced in September
1991, extended the coverage of the Privacy Act to consumer credit
reporting. The credit reporting provisions of the Privacy Act
are contained in Part IIIA and associated provisions (the credit
reporting provisions). The credit reporting provisions
primarily regulate the handling and maintenance of certain kinds of
personal information concerning consumer credit that is intended to
be used wholly or primarily for domestic, family or household
purposes.

The
purpose of the credit reporting system is to balance an
individual’s interests in protecting their personal
information with the need to ensure sufficient personal information
is available to assist a credit provider to determine an
individual’s eligibility for credit following an application
for credit by an individual, and for related matters. The
credit reporting system provides an aid to credit providers in
managing the risks of providing consumer credit to
individuals. Only limited and defined kinds of relevant
personal information are permitted in the credit reporting
system.

The credit
reporting system in Australia has been a ‘negative’
reporting system. The main kinds of personal information
permitted in the system were information about :

· a credit
provider having sought a credit report regarding an individual in
connection with an application for credit, and the amount of credit
sought in the application

· an
individual’s current credit providers

· any credit
defaults; and

· a credit
provider’s opinion that the individual has committed a
serious credit infringement.

Schedule
2 amends the
credit reporting provisions in the Privacy Act. The credit
reporting provisions have been completely revised, consistent with
the intention to ensure greater logical consistency, simplicity and
clarity throughout the Privacy Act. The new provisions are
based on the flows of personal information in the credit reporting
system and also clearly address the interaction of the provisions
with the APPs where relevant.

This
schedule of the
Bill implements the ALRC’s recommendation to move to a
‘more comprehensive’ credit reporting system.
This means a limited number of additional kinds of credit related
personal information about individuals are permitted in the credit
reporting system. The five
new kinds of personal information (also known in the industry as
‘data sets’) are:

·
the date the credit account was opened

·
the type of credit account opened

·
the date the credit account was closed

·
the current limit of each open credit account; and

·
repayment performance history about the individual.

The fifth kind of personal information, repayment history
information, is only available to credit providers who are
licensees under Chapter 3 of the National Consumer Credit
Protection Act and subject to responsible lending obligations under
that Chapter. In certain defined circumstances repayment
history information is also available to mortgage insurers for
mortgage insurance purposes.

Comprehensive credit reporting will give credit providers access to
additional personal information to assist them in establishing an
individual’s credit worthiness. The additional personal
information will allow credit providers to make a more robust
assessment of credit risk and assist credit providers to meet their
responsible lending obligations. It is expected that this
will lead to decreased levels of over-indebtedness and lower credit
default rates. More comprehensive credit reporting is also
expected to improve competition and efficiency in the credit
market, which may result in reductions to the cost of credit for
individuals.

The new
credit reporting provisions will p rovide
additional consumer protections by enhancing obligations and
processes dealing with notification, data quality, access and
correction, and complaints . This
includes measures to place greater responsibility on credit
reporting bodies and credit providers to assist individuals to
access, correct and resolve complaints about their personal
information. Other measures that will benefit individuals
include the
introduction of specific rules to deal with pre-screening of credit
offers and the freezing of access to an individual’s personal
information in cases of suspected identity theft or
fraud.

Schedule 3
- Codes

Schedule
3 replaces
the provisions dealing with privacy codes and the Credit Reporting
Code of Conduct with a new Part IIIB dealing with codes of practice
under the APPs (called APP codes) and a code of practice about
credit reporting (called the CR Code).

An APP
code may be developed by APP code developers (either at their own
initiative or following a request from the Commissioner) or by the
Commissioner. APP codes do not replace the APPs, but operate
in addition to the requirements of the APPs. An APP code must
set out how one or more of the APPs are to be applied or complied
with. An APP code may also deal with other relevant matters,
and may impose additional requirements to those imposed by the APPs
so long as the additional requirements are not contrary to, or
inconsistent with, the APPs. Once the APP code has been
developed an application may be made to the Commissioner for
registration of the code. The Commissioner then decides
whether or not to register the APP code. The Commissioner
also has the power to develop an APP code. This power can
only be exercised if the Commissioner has requested the development
of an APP code and the request has not been complied with or the
Commissioner has decided not to register the APP code that was
developed as requested. The Commissioner may then register
the APP code that was developed by the Commissioner.

Any APP
code that is registered will be a disallowable legislative
instrument. A n APP
entity that is bound by a registered APP code must not do an act,
or engage in a practice, that breaches the registered APP
code. A breach of the registered APP code will be an
interference with privacy by the entity under section 13 of the Act
and subject to investigation by the Commissioner under Part 5 of
the Act. Registered APP codes can be varied or removed from
the register.

The CR
code is an essential part of the regulatory structure of the credit
reporting system. Accordingly, the Commissioner will request
code developers to develop the CR code. The development
process is based on that used for APP. The CR code must set
out how one or more of the credit reporting provisions are to be
applied or complied with, and deal with other matters. The CR
code must bind all credit reporting bodies and must set out which
credit providers or other entities (for example, mortgage insurers
and trade insurers) are bound. The Commissioner can develop
the CR code if the code developers do not develop the CR code as
requested, or the Commissioner decides not to register the CR code
that was submitted for registration.

A breach
of the registered CR Code will be an interference with privacy by
the entity under section 13 and subject to investigation by the
Commissioner under Part 5 of the Act. The registered CR code
can be varied.

The
Commissioner has certain functions and powers in relation to
codes. The Commissioner must maintain the Codes Register,
which contains the registered APP codes and registered CR
code. The Commissioner may issue guidelines to provide
assistance in the development of, and compliance with, APP codes
and the CR code. The Commissioner may also make guidelines
about matters the Commissioner may consider in deciding whether to
register or vary an APP code or the CR code, or remove an APP code
from the Register. The Commissioner may also review the
operation of any registered codes.

Schedule
4 -
Other amendments of the Privacy Act 1988

Schedule
4 inserts an
objects clause into the Act, reforms the functions and powers of
the Information Commissioner, and deals with related matters,
including reform of the provisions on interferences with privacy.
The amendments improve the Commissioner’s ability to
resolve complaints, recognise and encourage the use of external
dispute resolution services, conduct investigations and promote
compliance with privacy obligations. The amendments also
restructure relevant provisions dealing with the powers and
functions of the Commissioner to improve clarity and consistency in
the provisions.

A new
provision sets out the general functions of the Commissioner.
This is followed by provisions which outline in greater
detail the guidance related functions of the Commissioner, the
monitoring related functions of the Commissioner, and the advice
related functions of the Commissioner. Relevant
definitions related to the functions and powers of the Commissioner
are also amended.

Other
amendments to the Commissioner’s powers and functions made by
Schedule 4 include:

Clause 33C
will enable the Commissioner to conduct an assessment of an APP
entity’s maintenance of personal information

Clause 33E
will allow the Commissioner to accept written undertakings by
entities to take, or refrain from taking, specified actions to
ensure compliance with the Act

Clause 35A
will give the Commissioner the power to recognise external dispute
resolution schemes

Clause 40A
will deal with the conciliation of complaints by the
Commissioner

Item 90
will extend the Commissioner’s power to make inquiries of
persons other than the respondent to a complaint; and

Clause
52(3A) will allow the Commissioner to include in a determination
any order that considered necessary or appropriate.

Schedule 4
also amends the provisions dealing with the extra-territorial
operation of the Act. Subsection 5B(1) is amended to extend
the extra-territorial operation of the Act and registered APP and
CR codes to organisations and small businesses with an Australian
link. The term ‘Australian link’ is used to
define the entities that are subject to the operation of the Act,
and is used, for example, in APP 8 and throughout the credit
reporting provisions.

A new
section 13G is inserted, to provide a civil penalty for a serious
or repeated interference with the privacy of an individual.
Schedule 4 also inserts a new Part VIB, which deals with
civil penalties.

Schedule 5
- Amendment of other Acts

Schedule
5 contains
amendments to other Acts that are consequential to the amendments
in Schedules 1 to 4 of the Bill. These amendments primarily
replace references to the IPPs or NPPS with the APPs and insert new
definitions, including certain credit reporting terms, in other
Acts that interact with the Privacy Act.

Schedule 6
- Application, transitional and savings
provisions

Schedule
6 contains
amendments to address transitional issues relating to the
commencement of the new provisions.

Financial
Impact Statement

The Bill
will have no significant impact on Commonwealth expenditure or
revenue.

Regulation
Impact Statement

A
regulation impact statement is only required for the credit
reporting measures contained in this Bill.

REGULATION
IMPACT STATEMENT - CREDIT REPORTING REFORMS

Background,
purpose and structure of the Regulation Impact Statement
(RIS)

Background

In 2006
the then Australian Government asked the Australian Law Reform
Commission (ALRC) to conduct an inquiry into the extent to which
the Privacy Act 1988 (the Privacy Act) and related laws
continue to provide an effective framework for the protection of
privacy in Australia.

In August
2008 the ALRC report For Your Information: Australian Privacy
Law and Practice (108) (the ALRC Report) was publicly
released. The ALRC Report contains 295 recommendations
for reform of the Privacy Act and related legislation, including
recommendations relating to reform of the consumer credit reporting
provisions (Part IIIA of the Privacy Act).

Over a two
year period, the ALRC released an Issues Paper and Discussion Paper
to assist in informing its recommendations in the final
report. In developing the consumer credit reporting
recommendations, the ALRC formed a Credit Reporting Advisory Sub
Committee made up of Treasury officials, consumer advocates, credit
provider representatives and credit reporting agency
representatives. The ALRC consulted widely with community
groups and the business community, seeking written submissions and
conducting a series of roundtables with individuals, agencies and
organisations about consumer credit reporting.

The ALRC
recommendations on credit reporting contain two significant
proposals:

The
current consumer credit reporting regime move to a system that
includes ‘more comprehensive’ consumer credit
information, as follows:

Recommendation
55-1 The new
Privacy (Credit Reporting Information) Regulations should
permit credit reporting information to include the following
categories of personal information, in addition to those currently
permitted in credit information files under the Privacy
Act :

Recommendation
55-2 Subject to
Recommendation 55-3, the new Privacy (Credit
Reporting Information) Regulations should also permit credit
reporting information to include an individual’s repayment
performance history, comprised of information
indicating:

i. whether,
over the prior two years, the individual was meeting his or her
repayment obligations as at each point of the relevant repayment
cycle for a credit account; and, if not,

ii. the number
of repayment cycles the individual was in arrears.

Recommendation
55-3 The
Australian Government should implement
Recommendation 55-2 only after it is satisfied that
there is an adequate framework imposing responsible lending
obligations in Commonwealth, state and territory
legislation.

Recommendation
55-4 The credit
reporting code should set out procedures for reporting repayment
performance history, within the parameters prescribed by the new
Privacy (Credit Reporting Information)
Regulations .

Recommendation
55-5 The new
Privacy (Credit Reporting Information) Regulations should
provide for the deletion of the information referred to in
Recommendation 55-1 two years after the date on which a
credit account is closed.

A new
credit reporting Code of Conduct be developed by industry, as
follows:

Recommendation
54-9 Credit
reporting agencies and credit providers, in consultation with
consumer groups and regulators, including the Office of the Privacy
Commissioner, should develop a credit reporting code providing
detailed guidance within the framework provided by the Privacy
Act and the new Privacy (Credit Reporting Information)
Regulations. The credit reporting code should deal with a
range of operational matters relevant to compliance.

Purpose

The
purpose of this RIS is to determine whether the proposed policy
objectives in Recommendations 55-1 to 55-5 and 54-9 should be
accepted and if so, the form in which the recommendations should be
accepted.

Structure

The RIS
begins by providing background on the issue of consumer credit
reporting and summarises previous reviews. It then provides
background on the issue of a credit reporting Code of
Conduct. The RIS is then broken into two parts. Part A
considers comprehensive credit reform, while Part B considers a
credit reporting code of conduct. The RIS examines the
problems, options and impacts to determine the most effective and
efficient regulatory approach in relation to both of these
issues.

Background
to Consumer Credit Reporting

The credit
reporting system is intended to increase the efficiency of
Australia’s consumer credit market. As of June 2008,
total consumer credit on issue, including securitisations, was
$1113.4 billion. Of this, housing credit on issue stood at
$957.9 billion and other personal credit on issue was $155.6
billion. The largest sector of consumer credit is residential
mortgages, which are estimated to account for over 86 per cent of
all consumer loans. [1]

Within the
consumer credit market credit providers obtain credit reports from
credit reporting agencies (CRAs) to assist in the assessment of
credit applications with the aim of minimising the risk of customer
defaults.

CRAs
collect information about individuals from credit providers and
from publicly available sources (such as bankruptcy information
obtained from the Insolvency and Trustee Service Australia).
This information is used in generating credit reporting information
for credit providers. Credit providers use this information
when assessing credit applications, as it augments information
obtained directly from an individual’s application form, the
credit provider’s own records of past transactions involving
the individual (if any), and any other enquiries the credit
provider may choose to make.

Consumer
credit reporting is regulated by Part IIIA of the Privacy
Act. It regulates the types of personal information that may
be collected and disclosed in the course of consumer credit
reporting by a defined class of CRAs and credit providers.
The Privacy Act allows for the collection and disclosure of
‘negative’ credit reporting information.
Subsection 18E(1) of the Privacy Act sets out a prescriptive
list of information which may be included in a credit information
file. This includes:

· a credit
provider having sought a credit report in connection with an
application for credit, and the amount of credit sought (inquiry
information)

· a credit
provider being a current credit provider in relation to the
individual (current credit provider status)

· credit
provided by a credit provider to an individual, where the
individual is at least 60 days overdue in making a payment on
that credit (default information)

· a cheque
for $100 or more that has been dishonoured twice

· a court
judgment or bankruptcy order made against the individual;
and

· a credit
provider’s opinion that the individual has committed a
serious credit infringement.

In
Australia there are currently three CRAs active:

- Veda
Advantage (Veda)

- Dun and
Bradstreet (D&B); and

- Tasmanian
Collection Service

Veda
claims a market share of 96% [2]
with a database of 16.5 million credit-active Australians [3] .
It is understood that Veda has over 5000 subscribers which use its
services, although these are not exclusively credit
providers. [4]
The next largest CRA, D&B, claims to have data on 2.8 million
individuals in Australia and New Zealand. [5]

The
circumstances in which CRAs can disclose personal information
contained in a credit information file are specified in section 18K
of the Act. In general terms, CRAs can only disclose to
credit providers (which is defined by section 6 of the Act to
include mortgage insurers and trade insurers). Section 11B of
the Act sets out a more detailed definition of credit providers,
which includes:

· banks

· any entity
which provides loans or credit cards for a substantial part of its
business or allow individuals to have goods or services on credit
(more than seven days)

· an entity
that provides loans (including by issuing credit cards), provided
the Privacy Commissioner has made a determination in respect of
such a class of entity

· a
government agency that provides loans and is determined by the
Privacy Commissioner to be a credit provider for the purposes of
the Act

· a person
who carries on a business involved in securitisation or managing
loans that are subject to securitisation; or

· an agent
of a credit provider while the agent is carrying on a task
necessary for the processing of a loan application, or managing a
loan or account with the credit provider.

The
definition does not include debt collectors, real estate agents,
employers and general insurers. CRAs are not permitted to
provide credit reports to any organisations which do not fall
within the definition of a credit provider.

National
Reform of Consumer Credit Law

Australian
Governments are working towards the reform of consumer credit law
in Australia. COAG, the Council of Australian Governments,
agreed in March and July 2008 to transfer consumer credit
regulation to the Commonwealth. Subsequently, COAG agreed on
3 October 2008 to a two-stage plan to overhaul consumer credit
laws. The first stage of the plan includes the development of
a national licensing scheme for the consumer credit industry,
enacting the Uniform Consumer Credit Code as a Commonwealth law,
and reforming key credit regulation laws.

On 27
April 2009 the then Minister for Superannuation and Corporate Law,
Senator Sherry, released the draft National Consumer Credit
Protection Bill 2009 (the NCCP Bill) for public comment. The
NCCP Bill was introduced into the Australian Parliament on 25 June
2009. [6]
Amongst other things, the NCCP Bill proposes new responsible
lending obligations for all consumer credit in Australia.
ALRC Recommendation 55-3 suggested the Government only permit
repayment performance history in the credit reporting system if
responsible lending obligations were introduced.

The NCCP
Bill introduces a set of responsible lending conduct requirements,
which set a standard of expected behaviour for credit providers
when they enter into a credit contract, or when they suggest a
credit contract to a consumer or provide assistance to a consumer
to apply for a credit contract. Compliance with the
responsible lending laws will require an assessment and
verification of a consumer's credit needs and financial
circumstances, including that the consumer has the capacity to
repay the financial obligations.

Past
Reviews of Credit Reporting

The
question of whether more comprehensive credit reporting (also known
as positive reporting) should be introduced into Australia has been
actively considered since the enactment of the credit reporting
system in 1988. Following is a summary of these proposals and
reviews.

Credit
Reference Association of Australia (CRAA)
proposal

In 1988
the CRAA stated it would augment its collection of credit reporting
information by including information about the current credit
commitments of individuals. The proposal was named the
Payment Performance System (PPS)
[7] . Under the PPS credit providers
would supply CRAA with tapes containing their customers’
credit accounts which would be merged with existing data every 30
to 60 days. The data would be placed in credit reports
containing a complete listing of all a consumer’s credit
accounts, balances owing, and payment performance on every account
during the previous 24 payment periods. It was proposed that
payments 120 days or more overdue would automatically generate a
default report.

The
CRAA’s proposal was rejected by the then Government on the
grounds that it was a form of ‘positive reporting’
which was too intrusive to the privacy of individuals.

Financial
System Inquiry (Wallis Report) Proposal (1997)

The Wallis
Report stated that it was not in a position to assess whether the
benefits of positive credit reporting outweighed the costs, but
considered the potential benefits warranted a complete review of
the issue. The Wallis Report recommended that the
Attorney-General establish a working party to review the existing
credit provisions of the Privacy Act . [8]
No information is available on whether the recommended review
occurred.

Senate
Legal and Constitutional References Committee

In 2005
the Senate Legal and Constitutional References Committee reported
on aspects of credit reporting as part of its inquiry into the
Privacy Act. The Committee’s report, The Real
Big Brother: Inquiry into the Privacy Act
1988 , found
that no reform of the credit reporting provisions of the Privacy
Act was required. The Committee recommended against
introducing positive credit reporting in Australia, stating
that [9] :

the
experience with the current range of credit information has shown
that industry has not run the existing credit reporting system as
well as would be expected and it is apparent injustice can
prevail. As mentioned elsewhere in this report, positive
reporting is also rejected on the basis that it would magnify the
problems associated with the accuracy and integrity of the current
credit reporting system. The privacy and security risks
associated with the existence of large private sector databases
containing detailed information on millions of people are a major
concern.

The
Australian Government’s response to the Senate
Committee’s recommendation concerning credit reporting and
stated that review of the credit reporting provisions would be
included in the reference to the ALRC to review privacy law in
Australia.

Senate
Economics Committee

The Senate
Economics Committee also considered the issue in its 2005 report
Consenting Adults, Deficits and Household Debt: Links between
Australia’s Current Account Deficit, the Demand for Imported
Goods and Household Debt . The Committee stated that it
was not persuaded to take a different view to that expressed by the
Senate Legal and Constitutional References Committee on the basis
that [10] :

credit
providers were not making full use of the information available to
them; and

defaults
in the credit card market and other signs of financial distress
were very low and did not justify a move to positive credit
reporting.

Victorian
Consumer Credit Review

The 2006
Consumer Credit Review examined comprehensive credit reporting as
part of a broad review of the efficiency and fairness of the
operation of credit markets and the regulation of credit in
Victoria. The Consumer Credit Review rejected a form of more
comprehensive credit reporting on the basis that there were
unanswered questions as to whether the benefits outweighed the
costs. However it recommended that further research and
analysis be undertaken on the effects of comprehensive credit
reporting.

House of
Representatives Standing Committee on Economics

In
November 2008, after the publication of the ALRC Report, the House
of Representatives Standing Committee on Economics’ Inquiry
Into Competition in the Banking and Non-Banking Sectors recommended
that the Government implement the ALRC’s recommendations on
reforming Australia’s credit reporting system. In
particular, the report considered the effect of comprehensive
credit reporting and concluded that adopting a comprehensive credit
system would provide competitive advantages to both businesses and
individuals. The report referred to The Treasury’s
findings which noted that the current negative credit reporting
model may represent a barrier to competition as it prevents new
entrants and smaller existing lenders from obtaining comprehensive
information on a prospective customer’s ability to service a
loan and that only a ‘customer’s existing
lender…has access to the borrower’s repayment
history’. [11]

Background
to Credit Reporting Code of Conduct

Section
18A of the Privacy Act requires the Privacy Commissioner to issue a
Code of Conduct relating to credit information files and credit
reports. The Privacy Commissioner is

required
to consult with government, commercial, consumer and other relevant
bodies and organisations before issuing the Code of Conduct.
The Code of Conduct should deal with:

the
collection of personal information for inclusion in
individuals’ credit information files

the
storage of, security of, access to, correction of, use of and
disclosure of personal information included in individuals’
credit information files or in credit reports

the manner
in which credit reporting agencies and credit providers are to
handle disputes relating to credit reporting; and

any other
activities, engaged in by CRAs or credit providers, that are
connected with credit reporting.

The
Privacy Commissioner issued the Credit Reporting Code of
Conduct in 1991. The Code supplements Part IIIA on
matters of detail not addressed by the Privacy Act. Among
other matters, the Code requires credit providers and CRAs
to:

· deal
promptly with individual requests for access and amendment of
personal credit information, such as proscribing specific
timeframes within which requests must be dealt with

· ensure
that only permitted and accurate information is included in an
individual's credit information file

· keep
adequate records in regard to any disclosure of personal credit
information

The Code
supplements Part IIIA of the Privacy Act and creates a set of
legally binding rules. Subsection 18A(4) states that the Code
of Conduct is a disallowable instrument. Section 18B of the
Act requires CRAs and credit providers to comply with the Code of
Conduct.

The term
‘credit providers’ is defined in section 11B of the
Privacy Act. The definition extends to an organisation that
is, among other things, a:

bank

corporation,
a substantial part of whose business or undertaking is the
provision of loans

corporation
that carries on a retail business in the course of which it issues
credit cards; or

corporation
that provides loans and is included in the class of corporations
determined by the Privacy Commissioner to be credit providers for
the purposes of the Privacy Act.

The term
‘loan’ is defined in section 6(1) of the Privacy Act to
mean a contract, arrangement or understanding under which a person
is permitted to defer payment of a debt, and includes a
hire-purchase agreement or an agreement for the hire, lease or
renting of goods or services.

The
Privacy Commissioner has issued two determinations in relation to
the definition of credit provider. These are the Credit
Provider Determination No. 2006-4 (Classes of Credit Providers)
and the Credit Provider Determination No. 2006-3
(Assignees) . These determinations state circumstances in
which corporations are to be regarded as credit providers.
They include situations where corporations make loans in respect of
the provision of goods or services on terms that allow the deferral
of payment, in full or in part, for at least seven days.

The
operation of the Privacy Act and the Privacy Commissioner’s
Determinations means that the type of corporations that may be
included within the definition of credit provider has been
considerable expanded. Submissions to the ALRC recognised
that organisations which are retailers or service providers, such
as video store operators or legal and healthcare service providers,
may fall within the definition of credit provider if they extend
payment terms for seven days or more [12] .
In some situations, organisations that would otherwise be small
businesses may be caught by the operation of the credit reporting
provisions.

PART A:
Comprehensive Credit Reporting

1. Problem

1.1
Greater access to independent credit information

A key
objective of credit reporting is to facilitate consumer credit
transactions by encouraging transparency in the market and
providing access to standardised, reliable and timely information
about an individual’s credit risk. [13]
A significant concern in the consumer credit industry is that the
existing credit reporting system does not sufficiently address the
information asymmetry between credit providers and potential
borrowers. Information asymmetry occurs where the credit
provider does not know the full credit history of an individual
applying for credit and therefore the individual has more
information about his or her credit risk than the credit
provider. This can result in adverse selection, where a
credit provider operating in response to information asymmetry,
prices credit based on the average credit risk of
individuals. [14]
The credit reporting system attempts to address this information
asymmetry by providing an independent source of information that
can assist in the assessment of an individual’s credit
application.

The
present credit reporting system in Australia is a negative credit
reporting type of system, as opposed to the ‘positive’
credit reporting type of system permitted in other countries.
The difference between the two systems is the type of personal
information which is permitted to be collected. Negative
reporting limits the collection of personal information to that
which relates to an individual’s credit delinquency, such as
defaults on payments or dishonoured cheques, and inquiries on the
credit record. Positive credit reporting permits the
collection of personal information which demonstrates an
individual’s credit account activity, such as the timeliness
of payments, account type, the credit limit and the amounts of
credit liabilities. However, the terms positive reporting and
negative reporting are not clearly defined and can be
confusing. The ALRC uses the term ‘comprehensive credit
reporting’ to describe the inclusion of additional
information which would feature in a positive credit reporting
system.

It is
argued by the credit reporting industry that Australia’s
current credit reporting system provides insufficient credit
history information about an individual. They argue this may
cause credit providers to incorrectly assess the risk premium of
individuals when they apply for credit, which can cause the
following consequences:

granting
credit, or higher amounts of credit, to individuals who cannot
afford to meet their repayment obligations

not
granting credit, or less credit than desired, to individuals who
can afford to meet their repayment obligations

Industry
stakeholders argue that the lack of more comprehensive information
may mean they are ignorant of the fact that an individual’s
circumstances may have changed and therefore their ability to repay
has changed. Credit providers are forced to place a lot of
emphasis on current information contained in credit reports, such
as default listings, which do not accurately reflect an
individual’s credit risk. A minor default is recorded
for a period of 5 years after the event, but information about an
individual’s changed circumstances, such as evidence of
consistent and timely repayment of debts, is not recorded.
Overall, it is argued there is an information asymmetry which
results in the mis-pricing and mis-allocation of credit. [15]
In consultations industry stakeholders have suggested that the
absence of more comprehensive credit reporting may affect the price
of credit (both in the consumer credit market as a whole and for
individual consumers) which affects the availability of
credit. They also argue that the lack of more comprehensive
credit information may lead to more defaults, as customers who
would not have qualified for credit may be able to obtain credit in
the current negative credit reporting system by exploiting the
information asymmetry which makes it difficult for credit providers
to discover information about an applicant’s true financial
position.

There does
not appear to be independent empirical information available about
the Australian consumer credit reporting system, industry, or the
implications of more comprehensive credit reporting. The lack
of independent information was noted by the ALRC. [16]
Independent information was not available in the preparation of
this RIS.

While the
major purpose of credit reporting is to provide information to
assist credit providers to assess applications for credit, an
effective credit reporting system may also facilitate responsible
lending by credit providers, helping to ensure individuals do not
become financially overcommitted. The National Consumer
Credit Protection Bill 2009 [which has since passed as the
National Consumer Credit Protection Act 2009 ] proposes
extensive responsible lending obligations which will require credit
providers to ensure they adequately and responsibly assess an
individual’s application for credit.

1.2
Privacy concerns

Permitting
access to more credit information through the credit reporting
system directly affects an individual’s privacy. The
main concerns from consumer and privacy advocate stakeholders and
some commercial stakeholders are:

- the
benefit of comprehensive credit reporting does not outweigh the
additional impact on an individual’s privacy

- CRAs will
have access to large databases of personal information

- comprehensive
credit information may be used for purposes unrelated to assessing
the creditworthiness of an applicant for credit, such as marketing
or other unauthorised purposes, including identity fraud

- there may
be an increased risk that information will be inaccurate due to the
greater volume of information (reflecting existing concerns about
accuracy of the currently held credit reporting information) and
any inaccuracies may make it more difficult for individuals to
obtain credit

- based upon
evidence from overseas, there is an increased risk that the
security of data held by CRA’s will be compromised;
and

- it would
be inappropriate for CRA’s to collect and report payment
performance information in relation to utilities such as
telecommunications, energy and water.

2. Objectives

2.1 Objectives
of government action

The
objective of government action is to respond to the ALRC
recommendations on consumer credit reporting reform in the context
of the Government’s response to the wider ALRC review of
privacy law. The specific objectives are to:

provide
consumer credit providers with sufficient information to allow them
to adequately assess credit risk while ensuring the protection of
personal information to the greatest extent possible;
and

encourage
responsible lending.

2.2
Existing policy and regulations

Part IIIA
of the Privacy Act precisely defines the categories of personal
information which may be collected and disclosed for credit
reporting purposes. The policy objective of the existing
credit reporting system is to provide a mechanism to allow a
limited amount of personal information to be collected and
disclosed in the credit reporting system for the efficient
operation of the consumer credit market.

The ALRC
has recommended changes to the existing credit reporting system in
order to permit more comprehensive credit reporting.
Amendments would be required to Part IIIA of the Privacy
Act.

3
Options that may achieve the objectives

3.1
Implementation scope

Part IIIA
of the Privacy Act regulates the consumer credit reporting
system. Against this background, the proposed options address
the ALRC’s recommendations 55-1 and 55-2 on adopting a more
comprehensive consumer credit reporting system within the Privacy
Act. The scope of implementation is limited to amending, or
not amending, Part IIIA of the Privacy Act.

The ALRC
considered options to make the current credit reporting system more
effective [17] .
These options included improving the accuracy of existing credit
reporting data, requiring consumer declarations in relation to loan
applications and expanding financial literacy programs.
However, the ALRC did not recommend any of these options for action
and accordingly this RIS does not consider these
options.

Implementation
of the ALRC recommendations would enable CRAs to collect additional
information. However, CRAs would not be obliged to collect
additional information. It is expected that CRAs will only
incur any costs in collecting additional information (whether
through redeveloping systems or for other reasons) if they expect
the benefits of collecting more comprehensive credit information to
outweigh the costs.

3.4
Option 2(b) - Expand the permitted outlined in Option 2(a) with
the addition of including an individual’s repayment
history

In
addition to the four additional categories of personal information
from Option 2(a), this option would also allow limited repayment
history information to be included, as follows:

· whether,
over the prior two years, the individual was meeting his or her
repayment obligations as at each point of the relevant repayment
cycle for a credit account; and, if not,

· the number
of repayment cycles the individual was in arrears.

Note that
the amount of any payments missed would not be
included. This option is based upon Recommendation 55-2 of
the ALRC Report, which recommends this option only be considered
where there also exists an adequate legislative framework imposing
responsible lending obligations on credit
providers .

4.
Assessment of impacts

4.1
Impact group identification

The groups
affected by the Options are:

individuals
who apply for credit

CRAs

credit
providers; and

small
businesses.

The Office
of the Privacy Commissioner (the OPC) would remain the responsible
regulator under all of the proposed options. It is expected
that Options 2 and 3 would only have no, or a low, impact upon the
OPC.

4.2
Assessment of costs and benefits

4.2.1
Impact of Option 1 - remain with status
quo

Individuals
- Benefits

The
current protections in the Privacy Act limit the amount of personal
data that may be collected, used and disclosed for the purpose of
credit reporting. These limitations reduce the risk of data
inaccuracy, misuse for marketing or other unauthorised purposes, or
misuse for illegal activity, including identity fraud.

Individuals
- Costs

The
limited information available in credit reports may misrepresent
the credit worthiness of individuals. For example, small
defaults for small amounts of credit remain on a credit report for
five years and may form the basis of a decision to approve credit,
even where this default may be trivial in contrast to the overall
credit history of an individual.

There is a
risk that consumer credit may be priced at a higher rate than would
otherwise be the case if more comprehensive credit information was
available. There is also a risk that consumers may be denied
credit or only have reduced credit made available because credit
providers may not have sufficient information to make fully
effective decisions about the risks associated with the allocation
of credit in the market as a whole or in relation to individual
consumers.

Credit
Reporting Agencies - Benefits

No
requirements to change current data retention practices, business
models or database technology.

Credit
Reporting Agencies - Costs

Current
regulation prevents CRAs from offering more comprehensive consumer
credit reports which may limit the greater profitability of
CRAs.

The
current limited number of information categories may create
competition costs by maintaining barriers to market entry for new
CRA businesses. Two of the existing CRAs have large
databases. Credit providers are more likely to use these CRAs
as the size of the databases gives them access to the greatest
potential number of consumer credit records. This may limit
new entrants into the market because it is likely to take more time
to develop databases of negative events like credit
defaults.

Credit
Providers - Benefits

No
requirements to change current use and disclosure practices in
relation to credit reporting information, business models or credit
assessment technology.

Credit
Providers - Costs

If an
applicant fails to disclose credit accounts and liabilities they
hold with other financial institutions, the credit provider is
unable to make a fully informed lending decision resulting in the
possibility of provision of credit to borrowers who are unable to
meet their financial obligations.

New
entrants into the credit provider market may face significant
barriers to entry as a consequence of insufficient information
about the credit risk of prospective credit consumers. New
players or smaller credit providers are unlikely to have more
comprehensive data available, while existing larger credit
providers are able to access their existing customer base.
This may mean knowledge of credit worthiness of individuals is
inadequate which may lead to greater default rates for new and
small credit providers .

Small
Businesses - Benefits

To the
extent that small businesses currently use the credit reporting
system, they would not be required to make any changes.

Small
Businesses - Costs

Small
businesses may wish to use more comprehensive credit reporting
information to provide greater certainty in the provision of credit
to customers. Maintaining the current negative credit
reporting system may place small businesses at proportionally
greater risk from defaulting credit customers. No information
is available on the extent of small business usage of the credit
reporting system so it is not possible to quantify the possible
costs.

4.2.2
Impact of Option 2(a) - Expand the permitted categories to include
four additional categories of personal
information

Individuals
- Benefits

Permitting
additional information provides the opportunity for credit
providers to better understand an individual’s credit
history. In turn this may:

The extent
to which price benefits (lower rates) would be realised by
consumers depends in part on the level of competition in the
consumer credit market - the greater the level of competition, the
more likely that the benefits of comprehensive credit information
would be passed on to consumers. While the magnitude of
consumer benefits is uncertain, it is noted that currently there
does not appear to be extensive competition in the consumer credit
sector, raising some doubt that consumers would realise significant
price benefits, at least over the short term. [18]
Consumers may, however, benefit from greater access to
credit.

Individuals
- Costs

Individuals
who are deemed to be a poor risk based on greater transparency
about credit worthiness may find that the face a higher price for
access to credit (assuming credit providers introduce differential
pricing).

Permitting
additional categories of personal information to be collected, used
and disclosed may increase the risk of data inaccuracy, misuse for
marketing or other unauthorised purposes, including identity
fraud. If there are no significant changes to the numbers of
CRAs operating in Australia, extremely large amounts of data about
individuals will be held and maintained by a small number of CRAs
which may increase the risk of data security challenges and the
consequences of any potential breaches. Information is not
available to quantify the possible cost of data inaccuracy.
In many instances, the cost to any individual that may be affected
by inaccurate records will not be obvious as individuals may
resolve the issue by dealing directly with the credit provider or
the CRA.

Credit
Reporting Agencies - Benefits

The
business model and marketability of CRAs is expected to be improved
by allowing them to collect, use and disclose a greater amount of
data on individuals who apply for credit, in turn giving CRAs the
opportunity to sell a more effective product.

Credit
Reporting Agencies - Costs

CRAs are
likely to incur financial costs associated with developing systems
to handle the additional information. However, CRAs can make
commercial decisions about how they raise funds to invest in
building systems to expand their systems and business operations
and how they decide to recoup any investments they chose to
make. CRAs may choose to off-set the investment costs against
fees obtained from allowing credit providers to access the more
comprehensive credit reporting information. For example, they
may change their fee structure, market their services to a broader
range of credit providers, or develop new services to market to
their existing client base of credit providers. CRAs have not
provided any information on the commercial decisions they may make
to address any costs.

Credit
Providers - Benefits

Access to
more comprehensive credit reporting information is expected to
allow credit providers to more accurately assess the risks involved
in lending to an individual and in turn to more appropriately price
credit. More information will allow credit providers to avoid
lending to those who are over-committed, leading to lower rates of
customer indebtedness and defaults and reducing costs for credit
providers in debt recovery and write-offs.

Access to
more comprehensive credit reporting information will provide a more
efficient tool for credit providers to comply with responsible
lending obligations under consideration in the NCCP
Bill.

Access to
more comprehensive credit reporting information may improve
competition in the consumer credit provider market by reducing
information asymmetry between credit providers, particularly
between larger and smaller credit providers. Currently, large
credit providers are able to access more comprehensive credit
information from their own customers and use this to assess credit
applications from their existing customers. In a more
comprehensive credit reporting system, small credit providers may
use the access to greater information to make more informed
decisions about the provision of their credit which may make their
businesses more competitive. It may also be the case that all
credit providers may be able to reduce the transaction costs
involved in assessing credit applications, creating a more
efficient credit market.

Credit
Providers - Costs

The
systems and processes used by credit providers to assess credit
applications may change to deal with access to more comprehensive
information. If systems and processes change this may result
in some costs for credit providers.

There may
be higher costs to access credit information if CRAs choose to
increase fees to off-set the costs of developing their
systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information
available on what choices CRAs may make to recoup any additional
costs they may incur in updating their systems.

There may
be a risk that the increased predictive value of the data available
under this option may not be sufficient to justify the costs of
implementation.

Small
Businesses - Benefits

To the
extent that small businesses currently use the credit reporting
system, access to more comprehensive credit reporting information
is expected to allow small businesses to more accurately assess the
risks involved in lending to an individual. More information
will allow small businesses to avoid lending to those who are
over-committed, leading to lower rates of customer indebtedness and
defaults.

Small
Businesses - Costs

Although
there is no information available on the number of small businesses
that currently use the credit reporting system, more small
businesses may wish to use more comprehensive credit reporting
information to provide greater certainty in the provision of credit
to customers. Small businesses may face costs in developing
processes to assess credit applications with access to more
comprehensive information.

There may
be higher costs to access credit information if CRAs choose to
increase fees to off-set the costs of developing their
systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information
available on what choices CRAs may make to recoup any additional
costs they may incur in updating their systems.

4.2.2.1
Research on credit market efficiency and macro-economic impact of
more comprehensive credit reporting

In
examining the introduction of comprehensive credit reporting the
ALRC considered economic analysis provided by industry
stakeholders. Broadly, stakeholders in support of
comprehensive credit reporting claim that empirical and
macro-economic studies provide important evidence about the likely
improvements to credit market efficiency and economic benefits of
comprehensive credit reporting.

The ALRC
did not commission any independent economic analysis on the
question of the possible macro-economic impact of credit reporting
systems. The ALRC noted that, on one view:

this
subject matter does not lend itself to precise modelling due to the
level of complexity and the small orders of magnitude involved in
terms of benefits. It is questionable whether any modelling
will provide definitive answers. [19]

The
Treasury has confirmed the ALRC views that data constraints
restrict the level of macro-economic modelling that can be done on
the possible impact of more comprehensive credit reporting.
However, analysis conducted by Treasury has found that the
introduction of positive credit reporting would be expected to
remove information asymmetries in the market and lead to some small
equity and efficiency benefits for credit market participants and
the Australian economy more broadly. [20]
The Treasury supports the introduction of comprehensive credit
reporting subject to sufficient privacy protections being put in
place.

Research
by Barron and Staten published in 2000 compared Australia’s
credit reporting rules with that of the United States (US). [21]
The research compared the accuracy of risk scoring models using the
wider credit reporting information available under the US system
with the more limited information available in Australia. The
US model of credit reporting includes information such as the type
of account, credit limit, payment history, employer and account
balance.

The
findings of the research were that more comprehensive credit
reporting rules resulted in fewer loan defaults while maintaining
the same loan approval rate. The report found, for example,
that at an approval rate of 60%, use of the credit reporting
information permitted at present in Australia produced a default
rate of 3.35% compared to a default rate of 1.9% in the US.
At the same time, assuming that default rates were maintained at
around the same rate (eg 4%), credit providers using information
available in the current Australian system would extend new credit
to 11,000 fewer consumers for every 100,000 applicants than would
be the case in the US under their credit reporting
system.

Later
research by Barron and Staten, conducted in 2007 at the request of
the Australian Finance Conference, compared the above findings with
three other possible credit reporting models. [22]
The research found that at the targeted approval rate of 60%, the
intermediate model (similar to Option 2(b)) produced a 2.46%
default rate. The ALRC notes the assertions that the
implications of the research are that consumer credit will be less
available and more expensive in countries, such as Australia, where
the credit reporting system omits information that would provide a
more complete picture of a consumer’s financial
position. [23]

The
findings in the Barron and Staten research appear to be supported
by other reports which broadly compared different credit systems in
different countries. Research referring to overseas data
demonstrated a lower default rate and reduced bankruptcies
following the introduction of comprehensive credit reporting in
several countries. For example, econometric research
analysing the credit reporting regimes and credit markets in 43
countries, including the US, Australia and most other Organisation
for Economic Co-operation and Development countries found that the
breadth and depth of a credit market was positively associated with
the extent of the credit information that was exchanged between
lenders. [24]
A number of submissions to the ALRC cited the example of Hong Kong,
which appears to be experiencing far fewer loan defaults since the
introduction of comprehensive credit reporting in 2002, although
the ALRC also noted that it was not clear to what extent the change
was due to the recovery in Hong Kong’s economy that occurred
at the same time. [25]

The ALRC
identified methodological limitations and assumptions made by the
research [26] .
For example, the Barron and Staten modelling did not take into
account issues such as the weight given to more comprehensive
credit information provide by customers under the Australian model,
the possibility that the assessment processes used by credit
providers may differ from the research models. The research
assumed that those credit reporting systems which collected more
information used that information effectively. The research
did not consider other economic factors, including country specific
factors, which may have positively influenced the availability of
credit or the impact of any broader economic factors on default
levels. In addition, the research was conducted before the
Global Financial Crisis.

Australian
studies

Research
measuring the predictive effect of adding additional information to
credit reporting databases to assess credit worthiness was
conducted at the initiative of the Australian Retail Credit
Association (ARCA) and sponsored by a number of credit
providers. [27]
The research considered a number of models under which additional
information was collected. The models considered were
identical to the options identified above (see heading 3,
Options). Four major Australian banks and a number of
international financial services groups participated in the
research by analysing their own internal data to estimate the
relative predictive effect of different information variables as
identified in each option.

The
research produced a percentage score to indicate how useful each
option was to credit providers in collecting information to assess
credit worthiness. The benchmark against which each option
was assessed was a hypothetical situation where all relevant credit
reporting information (including, for example, full details of
repayment performance, which is not a feature of any of the
options) was available. This benchmark was assigned a
performance score of 100%. When the performance of each
option was compared to the benchmark, the research reached the
following conclusions:

Option 1 -
the permitted categories of information are unchanged - the
predictive value of the information is 10%.

Option
2(a) - the permitted categories of information are expanded to
include the four additional variables - increases the
predictive value of the information above option 1 by an additional
23% to a total of 33%.

Option
2(b) - the permitted categories of information are expanded to
include the four additional variables and repayment performance
history - increases the predictive value of the information above
option 2(a) by an additional 22% to a total of 55%.

However,
the research methodology and research results are not available and
have not been independently verified. The predictive scores
assigned to each option are notional in the sense that they are a
comparison against a benchmark that does not currently exist and
there is no evidence provided to indicate how the contribution of
each information element was assessed. In addition, the
benchmark was not recommended by the ALRC, is not an option
proposed in this RIS, and has not been proposed or supported by
stakeholders, including ARCA, as an appropriate model for
Australian conditions.

4.2.2.3
Research on macro-economic benefits

A 2004
study conducted by ACIL Tasman for MasterCard modelled the
macro-economic impact of introducing more comprehensive credit
reporting in Australia. The report concluded that
comprehensive credit reporting would generate a one-off increase in
capital productivity of 0.1%, which would translate to economic
benefits to the Australian economy of up to $5.3 billion, in net
present terms, over the next 10 years. [28]
ACIL Tasman used what was described as an ‘applied general
equilibrium model’ of the Australian and world economies to
quantify the benefits of more comprehensive credit reporting.
In conducting the research, assumptions were made in the model
which assumed that more efficient credit markets would have
implications for most sectors of the economy.

Research
conducted by Access Economics on behalf of Veda Advantage claimed
that more credit reporting information would enable lenders to
improve the accuracy of risk assessment, reduce defaults and debt
over commitment and provide credit to those who cannot currently
prove their creditworthiness. Additionally, the research
found that comprehensive credit reporting would also lead to an
overall increase in consumer debt levels and a related increase in
consumer spending. [29]

Advice
from Treasury confirmed that comprehensive credit reporting is
likely to lead to some small equity and efficiency benefits for
credit market participants and the economy more broadly.
However, the research is subject to similar criticisms to that made
about research on credit market effects. Treasury have
advised that the methodologies employed to measure the
macro-economic effects have limitations. The ALRC noted that
it is difficult to model precisely the macro-economic impact of
comprehensive credit reporting due to the level of complexity and
the small orders of magnitude involved in assessing the possible
benefits. The ALRC drew the following conclusion:

It is
questionable whether any modelling will provide definitive
answers. For example, Australia is recognised as having a
credit market that is very competitive by international
standards. This may limit the potential for further
competitive gains resulting from more comprehensive
reporting. Equally, a macro-economic upturn seems likely to
have a much greater influence on credit availability than any
change to a credit reporting system. [30]

4.2.2.4
Research on competition in credit markets

The credit
reporting industry strongly advocates the view that comprehensive
credit reporting will have a positive effect on competition in
Australian credit markets. The 2004 ACIL Tasman report stated
that, for example, the experience of the US in the 1990s following
increases in the types of personal data collected and used in
credit reporting saw a ‘a wave of new entrants into the bank
credit card market’. [31]
The benefits of this competition were said to put downward pressure
on interest rates and fees for bank credit cards and encourage the
targeting of lower interest rates to low risk borrowers. The
breadth of the credit card market also expanded. However, the
report does not provide evidence to clearly demonstrate the extent
to which the identified benefits were directly attributable to
credit reporting changes or whether other changes in the consumer
credit environment had a significant impact.

In
summary, the research suggests greater economic benefits than
disadvantages flowing from the introduction of comprehensive credit
reporting. The economic benefits are principally found in
improving interest rate pricing. The Treasury in its
submission to the ALRC noted that overall comprehensive credit
reporting would address information asymmetries and thereby improve
the targeting of credit, and the assessment, and thus pricing, of
risk. [32]

4.2.3
Impact of Option 2(b) - Expand the permitted categories to include
four additional categories of personal information (Option 2(a))
with the addition of including an individual’s repayment
history

Individuals
- Benefits

The
inclusion of this additional data set will enhance the predictive
value of credit worthiness which should lead to more informed
lending practices and result in greater efficiency and
effectiveness in consumer credit lending.

An
enhanced predictive value may lead to improved pricing of credit
risk which may provide more affordable credit (through, for
example, reduced interest rates or transactions costs) for low risk
consumers and greater access to credit for consumers who may not
have been able to otherwise demonstrate an adequate credit
history. However, the likely benefits to consumers will
depend, in part, on the level of competition in the consumer credit
market (in the same way that this issue may influence the possible
benefits to individuals noted above under Option 2(a)).

Individuals
-Costs

Individuals
who have poor credit histories may have difficulty in obtaining
credit or be required to obtain more costly credit (for example,
from providers who lend at higher rates).

As access
to this dataset may increase the number of loans issued overall,
there may be a risk that there will be an increase in irresponsible
lending to those unable to meet their obligations. However,
the ALRC recommended repayment history information only be
permitted once credit providers are subject to responsible lending
obligations.

Individuals
who are deemed to be a poor risk based on greater transparency
about credit worthiness may find that the face a higher price for
access to credit (assuming credit providers introduce differential
pricing).

This
option also presents similar possible costs to individuals as
identified in relation to option 2(a). Permitting additional
categories of personal information to be collected, used and
disclosed, including the inclusion of an individual’s
repayment history may increase the risk of data inaccuracy, misuse
for marketing or other unauthorised purposes, including identity
fraud. Any inaccurate records may create restrict individuals
gaining access to credit. Data is not available to quantify
the possible cost. If there are no significant changes to the
numbers of CRAs operating in Australia, extremely large amounts of
data about individuals will be held and maintained by a small
number of CRAs which may increase the risk of data security
challenges and the consequences of any potential breaches.
Information is not available to quantify the possible cost of data
inaccuracy. In many instances, the cost to any individual
that may be affected by inaccurate records will not be obvious as
individuals may resolve the issue by dealing directly with the
credit provider or the CRA.

Credit
Reporting Agencies - Benefits

The
business model and marketability of CRA’s will be improved by
allowing them to collect, use and disclose a greater amount of data
on individuals who apply for credit, in turn giving CRA’s the
opportunity to sell a more effective product.

Implementing
repayment history data at the same time as the other proposed data
sets in Option 2(a) would significantly reduce set up costs for
credit reporting agencies than if it was decided at a later date to
separately implement the repayment history data set.

Credit
Reporting Agencies - Costs

As noted
under option 2(a), CRAs are likely to incur financial costs
associated with developing systems to handle the additional
information. However, CRAs can make commercial decisions
about how they raise funds to invest in building systems to expand
their systems and business operations and how they decide to recoup
any investments they chose to make. CRAs may choose to
off-set the investment costs against fees obtained from allowing
credit providers to access the more comprehensive credit reporting
information. For example, they may change their fee
structure, market their services to a broader range of credit
providers, or develop new services to market to their existing
client base of credit providers. CRAs have not provided any
information on the commercial decisions they may make to address
any costs.

Credit
Providers - Benefits

The
listing of repayment history would provide credit providers with an
independent and easily obtainable source of information about an
individual’s repayment history and may assist credit
providers in identifying individuals who are under credit
stress. Access to this information is viewed by credit
providers as an important tool to complement any responsible
lending obligations.

It is
possible that the expected greater efficiencies gained by including
repayment history information (in terms of improved credit
delinquency predictability, which in turn reduces costs associated
with defaulting customers) may offset the administrative costs
involved in setting up comprehensive credit reporting under the
four datasets in Option 2(a).

The
inclusion of the repayment history data set in the credit reporting
system at the same time as the other data sets in Option 2(a) will
significantly reduce set up costs for credit providers than if it
was decided at a later date to separately implement the repayment
history data set.

Credit
Providers - Costs

As noted
under option 2(a), the systems and processes used by credit
providers to assess credit applications may change to deal with
access to more comprehensive information. If systems and
processes change this may result in some costs for credit
providers. No information is available to quantify any cost
that may occur.

As noted
under option 2(a), there may be higher costs to access credit
information if CRAs choose to increase fees to off-set the costs of
developing their systems. It is not possible to quantify
these costs as this will be a commercial decision for CRAs and
there is no information available on what choices CRAs may make to
recoup any additional costs they may incur in updating their
systems.

However, a
credit provider would not be required to access comprehensive
credit reporting information unless it was deemed necessary for
their business and was cost effective. The regulation would
simply set up a tool which credit providers could access
voluntary.

Small
Businesses - Benefits

To the
extent that small businesses currently use the credit reporting
system, access to repayment history information is expected to
allow small businesses to more accurately assess the risks involved
in lending to an individual. More information will allow
small businesses to avoid lending to those who are over-committed,
leading to lower rates of customer indebtedness and
defaults.

Small
Businesses - Costs

Although
there is no information available on the number of small businesses
that currently use the credit reporting system, more small
businesses may wish to use the credit reporting system in it
includes repayment history information. Small businesses may
consequently face costs in developing processes to assess credit
applications.

There may
be higher costs to access credit information if CRAs choose to
increase fees to off-set the costs of developing their
systems. It is not possible to quantify these costs as this
will be a commercial decision for CRAs and there is no information
available on what choices CRAs may make to recoup any additional
costs they may incur in updating their systems .

4.2.3.1
Research specific to the listing of repayment
history

As noted
above, research by ARCA found that including the repayment history
of an individual significantly increased the predicative value of a
credit report to 41%. This research accords with widely
accepted economic theory that making more information available to
credit providers will tend to increase efficiency in the market for
credit. It will also assist in making credit more available
to those able to repay and reduce rates of default (or both).
There was no significant disagreement among stakeholders in their
submissions to the ALRC Report that more comprehensive credit
reporting has the potential to improve risk assessment by credit
providers, even among those who expressed concern about how this
improved risk assessment would be used in the credit
market.

There is
little evidence to demonstrate that this additional data set will
subject consumers to greater burdens in terms of higher priced
credit or lack of credit. Such matters will be dependent on
the applicable business practices of the credit provider and the
need to adequately price credit in terms of a person’s
risk. It is noted that in many circumstances the number
‘bad risk’ customers who are denied credit will
effectively be balanced by those ‘good risk’ customers
who are afforded credit under the comprehensive scheme (but would
not have been under the ‘negative scheme).

It should
be noted that Option 2(b) is only to be implemented with the
implementation of responsible lending legislation under the NCCP
Bill. While the benefit that repayment history would provide
credit providers in determining credit risk of individuals, there
are strong concerns expressed by privacy and consumer advocates
that this extra category of information does not necessarily
guarantee responsible lending of credit. Advocates are
concerned that the repayment history will provide credit providers
with a very clear picture of a person’s financial status
without imposing any obligations to use this information in a
responsible way. Consumer advocates in particular consider
that the availability of more credit information will lead to less
risk adverse decisions by credit providers (i.e. credit providers
will use a good repayment history to justify providing credit to an
individual even where the individual has credit burdens beyond
their means). There is therefore a clear link between
potential regulation imposing responsible lending obligations and
the possible implementation of comprehensive credit
reporting.

These
concerns would be off-set by the requirement that only those credit
providers that are subject to the responsible lending requirements
in the NCCP Bill would be allowed to access repayment history from
CRAs.

To offset
privacy concerns the ALRC made recommendations that require credit
providers and CRAs to enhance data quality and security
requirements and provide for more effective complaint handling
procedures. Chapter 58 and 59 of the ALRC Report outlines a
series of recommendations regarding these matters.
Recommendation 58-4 recommended that CRAs should be required to
enter into agreements with credit providers to ensure the quality
and security of data and to implement controls to ensure data is
accurate, complete and up to date. Recommendation 58-7
provides that credit providers may only list overdue payment or
repayment performance history where the credit provider is a member
of an external dispute resolution scheme recognised by the Privacy
Commissioner. Additionally recommendation 59-8 requires that
evidence must be provided to an individual substantiating
information in a credit report within 30 days where the credit
reporting information is disputed or alternatively the matter must
be referred to an external dispute resolution scheme recognised by
the Privacy Commissioner.

5
Consultation

5.1 ALRC
Report Consultation

The ALRC
consulted with a wide variety of stakeholders which included CRAs,
credit providers, consumer and privacy advocates and the OPC.
The ALRC found there was broad support for the implementation of
some form of more comprehensive reporting, especially from CRAs and
credit providers. [33]

Consumer
groups, privacy advocates, the OPC and the Banking and Financial
Ombudsman generally opposed more comprehensive credit
reporting. These stakeholders focused on alternatives and
desirable pre-conditions to the possible introduction of more
comprehensive credit reporting. [34]

A number
of stakeholders, including OPC, suggested that further study is
required before reaching any decision to recommend the
implementation of more comprehensive credit reporting, including
studies which focus on the possible impact on over-indebtedness and
access to affordable credit. A CRA had proposed to the ALRC
that it would conduct a further study to model the effect that more
comprehensive consumer credit reporting would have on the accuracy
of credit providers’ application risk evaluation.
However, the study was not carried out, in part because of what the
CRA believed to be existing restrictions under the Privacy
Act. [35]

5.2
Consultation since the release of the ALRC
Report

The
Government undertook extensive consultations with, and received
written submissions from, relevant stakeholders on the ALRC’s
credit reporting recommendations. Stakeholders identified
included CRAs, credit providers, relevant industry and professional
organisations, academics, and consumer and privacy advocates and
organisations. The Government also publicised the
consultations and opened them to submissions from the
public. [36]

The
Government held a number of roundtable consultations on the ALRC
credit reporting recommendations in December 2008. There were
22 credit reporting industry attendees and eight privacy and
consumer advocate attendees. 15 written submissions were
received from the stakeholders. The Department also held a
number of individual meetings with stakeholders in the first half
of 2009 to discuss the application of the ALRC’s
recommendations.

There was
broad support for the introduction of more comprehensive credit
reporting. While some consumer and privacy advocates remained
opposed to the ALRC’s recommendations for more comprehensive
credit reporting, most consumer and privacy advocates reluctantly
agreed with many of the recommendations and the inclusion of
repayment performance history. Those who agreed with the ALRC
recommendations only supported comprehensive credit reporting to
the extent that it was introduced strictly along the lines
recommended by the ALRC Report. CRAs and large credit
providers vigorously supported the inclusion of repayment history
and strongly expressed their view that they considered this dataset
to be the decisive factor in improving the credit reporting
system. CRAs and credit providers expressed the view that the
absence of repayment history would be likely to mean that the
benefits of comprehensive credit reform would not outweigh the
costs of introducing the other changes.

6
Conclusion and Recommended Option

Option
2(b) is preferred. The introduction of more comprehensive
credit reporting in the form of the additional five data sets will
provide consumer credit providers with the opportunity to access
enhanced information to establish an individual’s credit
worthiness. It is expected that this will allow more robust
assessments of consumer credit risk, both in the market as a whole
and in relation to individual applications, which can assist
responsible lending and potentially lead to lower consumer credit
default rates. The economic benefits to industry and
individuals alike outweigh the reduction of privacy protections to
these categories of personal information. However, the extent
to which consumers gain will depend, in part, on the level of
competition in the consumer credit market. The inclusion of
repayment history information appears to provide an appropriate
increase in the predictive value of credit reporting
information. Recognising the importance of this information
to the ability of credit providers to make responsible lending
decisions, the Government has decided to implement responsible
lending obligations in the NCCP Bill.

7
Implementation and Review

The
Government will consider the public release of the stage one
Government response to the ALRC Report, which includes the
ALRC’s credit reporting recommendations. The Government
intends to implement the Government’s response to the ALRC
recommendations through draft legislation which will be released
for public comment. In relation to the credit reporting
provisions of the draft legislation, it is anticipated that further
consultations will occur with a small number of identified expert
stakeholders to obtain their assistance in addressing technical
issues to be covered by the drafting process. As part of this
process transitional issues will be considered, which will include
any necessary transitional arrangements to assist in minimising any
possible negative effects to the consumer credit market from the
implementation of the credit reporting reforms.

The
Government has released the NCCP Bill for public comment and made
announcements indicating the Government’s commitment to
introduce responsible lending obligations. This is consistent
with the terms of ALRC recommendation 55-3, which recommended
repayment history information only be made available if the
Government is satisfied there is an adequate framework imposing
responsible lending obligations.

ALRC
recommendation 55-5 stated that the more comprehensive credit
reporting information should be deleted two years after the date on
which a credit account is closed. The Government will include
timeframes for the deletion of information in the implementation of
the Government’s response to the credit reporting
recommendations.

It is
recommended that a review of the introduction of the additional
datasets by the Government take place in five years from the
commencement of more comprehensive credit reporting in accordance
with Recommendation 54-8 of the ALRC Report.

PART B:
Industry Developed Credit Reporting Code of
Conduct

8.
Problem

Non-legislative
guidance should be issued to deal with a range of operational
matters to ensure effective compliance with the requirements of the
credit reporting provisions of the Privacy Act. The
appropriate form of this guidance is the issue to be
determined.

Section
18A of the Privacy Act currently requires the Privacy Commissioner
to issue a Code of Conduct dealing with operational matters.
The Privacy Act sets out high level obligations and does not deal
with detailed operational matters. In addition, the Privacy
Act does not prescribe detailed operational procedures because it
would not be a flexible mechanism to deal with issues of
detail. For example, it would be difficult to take into
account changing technical standards and practices that may occur
in the credit reporting industry and which may require the revision
of the detailed guidance material.

In
recommendation 54-9 the ALRC proposes that CRAs and credit
providers develop an industry Code of Conduct in consultation with
consumer groups and regulators. The ALRC expressed the view
that an industry developed Code would form a necessary adjunct to
the credit reporting provisions in the Privacy Act. The ALRC
recommended that the Code be developed by industry because of the
perceived need for industry to have a greater involvement in
developing procedures which affect their day to day compliance with
the Privacy Act.

Consistent
with ALRC recommendation 48-1 on binding codes, the credit
reporting Code would ‘fill in the gaps’ between the new
credit reporting provisions and compliance with the obligations set
out in the provisions . It would provide detailed
guidance within the framework of the requirements of the credit
reporting provisions in the Privacy Act.

In
assessing the suitability of the type and structure of a credit
reporting Code, it should be noted that the details of the
Code’s content can only be developed once the Government has
settled the framework of the new credit reporting system.
However, it is expected that the Code would be an appropriate
mechanism to address the following matters:

o rules on
the calculation of overdue payments for credit reporting
purposes;

o obligations
to prevent the multiple listing of the same debt;

o requirements
to update credit reporting information; and

o rules
around linking credit reporting records which may or may not relate
to the same individual

- dispute
resolution processes, and

- protocols
and procedures for the auditing of credit reporting
information.

9.
Objectives

The
objective of government action is to respond to the ALRC
recommendations on the introduction of an industry led Code of
Conduct in the context of the Government’s response to the
ALRC recommendations on the credit reporting system and the wider
ALRC review of privacy law. The specific objective is to
provide a mechanism to put into place standards dealing with
operational issues to assist compliance by credit reporting
industry with the requirements of the new credit reporting
system.

10.
Options that may achieve the objectives

10.1
Implementation scope

The
jurisdiction of the Privacy Act sets the scope for implementing a
credit reporting Code of Conduct. Within this framework, the
parameters of the proposed options are confined to responding to
the ALRC Report’s recommendations on a credit reporting
Code.

This
option would preserve the existing requirement for the Privacy
Commissioner to issue a credit reporting Code of Conduct. The
existing Code of Conduct will require revision to deal with
operational issues raised by more comprehensive credit reporting
(if accepted).

10.3
Option 2 - Introduce a binding Code of Conduct developed
by industry in accordance with the code making powers set out in
Part IIIAA of the Privacy Act

Under this
option:

the
Privacy Act would specifically require CRAs and credit providers to
develop a Code covering a broad range of operational issues as
identified in the Privacy Act and in consultation with consumer
representatives and regulators

any CRA or
credit provider who intended to participate in the consumer credit
reporting industry would be required to be a party to the
Code

the Code
would be a legally binding Code under the Privacy Act. It
would operate in addition to the credit reporting provisions and
could not override or apply lesser standards than those contained
in the Privacy Act

the Code
must be approved by the Privacy Commissioner, who would also have
the power to review the Code; and

a breach
of the Code would be deemed to be a breach of the Privacy Act and
the Privacy Commissioner or a relevant External Dispute Resolution
(EDR) scheme would be entitled to determine a complaint in
accordance with the provisions of the Privacy Act or Code (as
appropriate).

The
industry may choose to address some credit reporting issues (such
as reciprocity between industry participants in the credit
reporting system) which will not be regulated by the credit
reporting provisions. It would be a matter for industry to
determine what, if any, additional issues should be included.
As these matters would fall outside the credit reporting provisions
they would not require approval by the Privacy
Commissioner.

the
Privacy Act would not set out any requirements for the existence or
contents of a Code of Conduct

the Code
would not be binding under the Privacy Act

it would
be a matter for the credit reporting industry to determine whether
to develop a Code and the contents of the Code

any Code
developed by industry would be a non-prescribed voluntary industry
code of conduct under the Trade Practices Act 1974 .
Depending on the contents of the Code, it may be authorised by the
Australian Competition and Consumer Commission (ACCC) for certain
conduct on public benefit grounds that may otherwise be proscribed
by the Trade Practices Act

Any
Code would establish standards which would be voluntarily agreed by
its signatories. The Code would be a contractual arrangement;
and

the Code
would be enforceable where CRAs and credit providers have agreed to
be bound by the Code and established dispute resolution procedures
in the Code (such as an EDR service). The terms of the Code
would not be enforceable by the Privacy Commissioner or the
ACCC.

11.
Assessment of impacts

11.1
Impact group identification

The groups
affected by the Options, in the order of the magnitude of the
impact, are:

While the
existing Code would need to be revised if more comprehensive credit
reporting is introduced, it is likely there would be minimal costs
in complying with a revised Code. CRAs would be consulted in
the development of the Code to ensure business practices are
adequately considered. To the extent that CRAs decide to
collect more comprehensive credit reporting information, compliance
with the revised Code could be built into the development of any
new systems and procedures required by the adoption of more
comprehensive credit reporting. Where existing requirements
of the Code are unchanged, there would be no compliance costs as
CRAs would already be in compliance with these
requirements.

Credit
Reporting Agencies - Costs

The
current Code of Conduct does not deal in detail with some of the
operational and procedural steps used within existing industry
practices, which may lead to less clarity and consistency within
the industry. Further detail could provide more precise
guidance to CRAs on current industry practices, assisting CRAs to
comply with the credit reporting provisions.

While CRAs
would be consulted by the OPC in any Code revision process
resulting from the reforms to the credit reporting provisions, they
would not have a central role in amendments to the Code of
Conduct. This reduces the ability of CRAs to form and direct
changes in the Code of Conduct, such as in situations where
technological developments may mean changes to operational
practices that could benefit from guidance in the Code of
Conduct. CRAs would not be able to take the initiative in
developing and proposing revisions to the Code, but instead would
need to convince the OPC to initiate a review of the Code. A
lack of clear guidance may restrict future developments in the
industry, which may result from the adoption of new technologies or
the identification of new opportunities to use or manage
data. This may have the cost of reducing possible economic
opportunities and benefits. Evidence is not available to
quantify any possible costs.

The
purpose of the Code is to provide practical guidance to CRAs to
assist compliance with the requirements of the Privacy Act and it
is expected that detailed compliance information will be of
significant assistance to the CRA industry. However, there is
a slight possibility that the existence of the Code may discourage
new CRA industry entrants. New entrants may prefer to
establish alternative procedures and processes that comply with the
requirements of the Privacy Act but do not match the detailed
guidance contained in the Code. In addition, new entrants
would not have had the opportunity to contribute to the Code
development process.

Credit
Providers - Benefits

While the
existing Code would need to be revised if more comprehensive credit
reporting is introduced, it is likely there would be minimal costs
in complying with a revised Code. Credit providers would be
consulted in the development of the Code to ensure business
practices are adequately considered. Compliance with the
revised Code could be built into the development of any new systems
and procedures required by the adoption of more comprehensive
credit reporting. Where other existing requirements of the
Code are unchanged, there would be no compliance costs as credit
providers would already be in compliance with these
requirements.

Credit
Providers - Costs

Similar
issues exist for credit providers as those identified for
CRAs. The current Code of Conduct does not deal in detail
with some of the operational and procedural steps used within
existing industry practices, which may lead to less clarity and
consistency within the industry. Further detail could provide
more precise guidance to credit providers on current industry
practices, assisting credit providers to comply with the credit
reporting provisions.

Credit
providers would not have a central role in amendments to the Code
of Conduct, although they would be consulted by the OPC in any Code
revision process resulting from the reforms to the credit reporting
provisions. This reduces the ability of credit providers to
form and direct changes in the Code of Conduct, such as in
situations where technological developments may mean changes to
operational practices that could benefit from guidance in the Code
of Conduct. The credit industry would not be able to take the
initiative in developing and proposing revisions to the Code, but
instead would need to convince the OPC to initiate a review of the
Code. A lack of clear guidance may restrict future
developments in the industry, which may result from the adoption of
new technologies or the identification of new opportunities to use
or manage data. This may have the cost of reducing possible
economic opportunities and benefits. Evidence is not
available to quantify any possible costs.

The
purpose of the Code is to provide practical guidance to credit
providers to assist compliance with the requirements of the Privacy
Act and it is expected that detailed compliance information will be
of significant assistance to credit providers. However, there
is a slight possibility that the existence of the Code may
discourage new credit providers. New credit providers may
prefer to establish alternative procedures and processes that
comply with the requirements of the Privacy Act but do not match
the detailed guidance contained in the Code. In addition, new
credit providers would not have had the opportunity to contribute
to the Code development process.

Office of
the Privacy Commissioner - Benefits

This
option would ensure that OPC retains complete control over the
development and promulgation of the Code. OPC would continue
to be required to consult with stakeholders in revising the Code,
but it would be a matter for OPC to decide when to review the Code
and what elements of the Code require revision.

Office of
the Privacy Commissioner - Costs

The OPC
does not have the necessary industry knowledge to provide specific
guidelines on operational and procedural issues. While the
OPC is required to consult stakeholders and can obtain extensive
information through the consultation process, the OPC would be
required to devote resources to reviewing the Code and developing
amendments. The proposed introduction of more comprehensive
credit reporting means that the OPC will be required to review the
Code. It is not possible to estimate the total expected cost
of a full review of the Code and there have been no comprehensive
reviews of the Code on which to base estimates of possible
costs.

Small
Businesses - Benefits

Some small
businesses may be credit providers depending on whether they offer
goods or services on terms that involve credit. It would be
expected that any review of the Code by the OPC would include
consultation with small business representatives as stakeholders in
the review. Businesses are not required to participate in the
credit reporting system and, where small businesses chose not to do
so, they would not be affected by a revised Code.

Small
Businesses - Costs

A revised
Code will deal in detail with operational matters arising from the
adoption of more comprehensive credit reporting. To the
extent that small businesses decide to participate in the credit
reporting system and use more comprehensive credit reporting
information, they will need to comply with the requirements of the
Code, including, for example, requirements to participate in EDR
services. It is not possible to quantify the possible
compliance costs for small businesses as there is no information
available on the number of small businesses likely to use more
comprehensive credit reporting.

Individuals
- Benefits

Individuals
would benefit from consistent operational standards for industry
practices. Individuals would be concerned to ensure that the
Code achieved an appropriate balance between the protection of
personal information and the operational needs of the credit
reporting industry. As the OPC has responsibility for the
development and review of the Code, individuals can rely on the OPC
to ensure their interests in the effective protection of personal
information are protected.

Individuals
would also benefit from the legal status of the Code to ensure
their rights are enforced. The Code would remain a
disallowable instrument, which means that a breach of the Code
could be the subject of a complaint to the Privacy
Commissioner .

Individuals
- Costs

A Code is
intended to ensure consistency and certainty in operational
practices throughout the credit reporting industry. There are
no obvious costs for individuals.

11.2.2
Impact of Option 2 - Introduce a binding Code developed by
industry in accordance with the code making powers set out in Part
IIIAA of the Privacy Act

Credit
Reporting Agencies - Benefits

This
option requires the credit reporting industry to develop a Code
that would be binding under the Privacy Act. Credit industry
control of the code making process would:

· allow the
industry to apply detailed knowledge of industry practices to
determine the best procedures to ensure practical compliance with
the requirements of the Privacy Act

· provide
the industry with the flexibility to review the Code and develop
necessary changes to the Code (subject to OPC approval) as required
by changes in industry standards; and

· ensure the
credit reporting industry adopts best standard practices which have
been developed in consultation with all industry participants,
improving the overall reliability of industry practices and
enhancing the operation of the credit reporting system.

The
ability of the credit reporting industry to develop (in
consultation with stakeholders, including consumer advocates) and
adhere to a binding Code may assist the industry build greater
trust by individuals in the operational standards and reliability
of credit reporting practices .

Credit
Reporting Agencies - Costs

The code
making process would require the cooperation of all industry
participants to develop specific operational and procedural
requirements. The process of developing the Code may involve
costs to the industry, such as:

· the time
taken to develop a binding Code may be significant as industry
groups must come to agreement about the provisions of the Code and
take into account that the OPC will also need time to approve the
Code

· costs
associated with drafting the Code

· costs
involved in consulting with stakeholders, both within the credit
industry as well as with consumer and privacy advocates and
regulators; and

· possible
costs associated with any future review of the Code.

It is not
possible to estimate the actual costs that may be incurred.
Many of these potential costs are unlikely to be incurred because
the credit industry has already begun work on the development of a
Code. The Australian Retail Credit Association (ARCA) is
developing a draft Code on a range of operational matters that
could be readily modified to include additional matters raised by
the introduction of more comprehensive credit reporting. The
ARCA Code is discussed below in section 11.2.4.

It is
expected that detailed compliance information will be of
significant assistance to the CRA industry. However, there is
a slight possibility that the existence of the Code may discourage
new CRA industry entrants. New entrants may prefer to
establish alternative procedures and processes that comply with the
requirements of the Privacy Act but do not match the detailed
guidance contained in the Code. In addition, new entrants
would not have had the opportunity to contribute to the Code
development process.

Credit
Providers - Benefits

This
option requires the credit reporting industry to develop a Code
that would be binding under the Privacy Act. Credit industry
control of the code making process would:

· allow the
industry to apply detailed knowledge of industry practices to
determine the best procedures to ensure practical compliance with
the requirements of the Privacy Act

· provide
the industry with the flexibility to review the Code and develop
necessary changes to the Code (subject to OPC approval) as required
by changes in industry standards; and

· ensure the
credit reporting industry adopts best standard practices which have
been developed in consultation with all industry participants,
improving the overall reliability of industry practices and
enhancing the operation of the credit reporting system.

The
ability of the credit reporting industry to develop (in
consultation with stakeholders, including consumer advocates) and
adhere to a binding Code may assist the industry build greater
trust by individuals in the operational standards and reliability
of credit reporting practices.

Credit
Providers - Costs

The code
making process would require the cooperation of all industry
participants to develop specific operational and procedural
requirements. The process of developing the Code may involve
costs to the industry, such as:

· the time
taken to develop a binding Code may be significant as industry
groups must come to agreement about the provisions of the Code and
take into account that the OPC will also need time to approve the
Code

· costs
associated with drafting the Code

· costs
involved in consulting with stakeholders, both within the credit
industry as well as with consumer and privacy advocates and
regulators; and

· possible
costs associated with any future review of the Code.

It is not
possible to estimate the actual costs that may be incurred.
Many of these potential costs are unlikely to be incurred because
the credit industry has already begun work on the development of a
Code. The Australian Retail Credit Association (ARCA) is
developing a draft Code on a range of operational matters that
could be readily modified to include additional matters raised by
the introduction of more comprehensive credit reporting. The
ARCA Code is discussed below in section 11.2.4. However, ARCA
appears to represent large organisations in the credit
industry. If ARCA takes a leading role in developing the
Code, it is possible that smaller credit providers which are not
members of ARCA may not be in a position to influence the code
making process to the same extent as ARCA members. This may
mean, for example, that industry practices which suit larger
organisations are incorporated into the Code as industry standards,
disadvantaging smaller industry participants that do not use the
same practices.

The
purpose of the Code is to provide practical guidance to credit
providers to assist compliance with the requirements of the Privacy
Act and it is expected that detailed compliance information will be
of significant assistance to credit providers. However, there
is a slight possibility that the existence of the Code may
discourage new credit providers. New credit providers may
prefer to establish alternative procedures and processes that
comply with the requirements of the Privacy Act but do not match
the detailed guidance contained in the Code. In addition, new
credit providers would not have had the opportunity to contribute
to the Code development process.

Office of
the Privacy Commissioner - Benefits

A Code
would create certainty for the OPC that a breach of the Code is a
breach of the Privacy Act and it would also provide the OPC with
industry standards by which to apply the credit reporting
provisions. Industry standards would give greater clarity
about the application of the Act to the industry and should result
in more efficient complaint resolution, resulting in less confusion
as to whether a breach of the code is an interference with
privacy. Approval from the OPC would ensure the OPC is
satisfied with industry’s interpretation of the credit
reporting provisions.

Office of
the Privacy Commissioner - Costs

It is
expected that the OPC would face minimal costs when compared with
Option 1. The OPC would not face costs in the development of
the Code, but would be required to incur some costs in approving
the Code. It is not possible to estimate the costs of
approving the Code until a draft Code is developed.

Small
Businesses - Benefits

Some small
businesses may be credit providers depending on whether they offer
goods or services on terms that involve credit. In the
development of a Code the credit reporting industry would be
required to consult with affected stakeholders. It is
expected that this consultation process would include a mechanism
for small businesses to contribute to the development of the Code,
including through consultation with representative
organisations. As the Code would require authorisation by the
OPC, it would be expected that the OPC would consider whether
effective consultation had occurred, including with small business
stakeholders. Businesses are not required to participate in
the credit reporting system and, where small businesses chose not
to do so, they would not be affected by a Code .

Small
Businesses - Costs

A Code
will deal in detail with operational matters arising from the
adoption of more comprehensive credit reporting. To the
extent that small businesses decide to participate in the credit
reporting system and use more comprehensive credit reporting
information, they will need to comply with the requirements of the
Code, including, for example, requirements to participate in EDR
services. It is not possible to quantify the possible
compliance costs for small businesses as there is no information
available on the number of small businesses likely to use more
comprehensive credit reporting.

Individuals
- Benefits

Complaints
by individuals would be subject to a clear EDR process. As
the Code would be enforceable by the OPC, adherence with the Code
to the protection of individual’s privacy would be stronger
as a breach of the Code would be a breach of the Privacy
Act.

Individuals
would benefit from consistent operational standards for industry
practices. Individuals would be concerned to ensure that the
Code achieved an appropriate balance between the protection of
personal information and the operational needs of the credit
reporting industry. As the OPC has responsibility for the
development and review of the Code, individuals can rely on the OPC
to ensure their interests in the effective protection of personal
information are protected.

Individuals
would also benefit from the legal status of the Code to ensure
their rights are enforced. The Code would remain a
disallowable instrument, which means that a breach of the Code
could be the subject of a complaint to the Privacy
Commissioner.

Individuals
- Costs

A Code is
intended to ensure consistency and certainty in operational
practices throughout the credit reporting industry. There are
no obvious costs for individuals .

11.2.3
Impact of Option 3 - Introduce a voluntary Code developed by
industry

Credit
Reporting Agencies - Benefits

This
option would not require the credit reporting industry to develop a
voluntary Code. It would be a matter for the industry to
decide whether or not to develop a voluntary Code. Any costs
involved in the development of a Code would not be imposed by
regulation but subject to commercial decisions about the costs and
benefits by the industry.

If the
credit reporting industry chooses to develop a voluntary Code, the
industry would remain in control of the development process.
Industry control over the code making process would:

· allow the
industry to apply detailed knowledge of industry practices to
determine the best procedures to ensure practical compliance with
the requirements of the Privacy Act

· provide
the industry with the flexibility to review the voluntary Code and
develop necessary changes as required by changes in industry
standards; and

A
voluntary Code would not require approval from the OPC, potentially
reducing costs and delays in implementation. However,
approval from the ACCC may be required depending on whether the
Code required consideration under the Trade Practices
Act.

A
voluntary Code would not impede new CRAs entering the market as it
would be a commercial decision whether or not the new CRA
subscribed to the voluntary Code.

The
ability of the credit reporting industry to develop and adhere to a
voluntary Code may assist the industry build greater trust by
individuals in the operational standards and reliability of credit
reporting practices.

Credit
Reporting Agencies - Costs

The code
making process would require industry cooperation to develop
specific operational and procedural requirements. This is
expected to involve costs to the industry in the preparation of the
voluntary Code, including a cost to develop and draft the voluntary
Code. However, ARCA has already drafted a Code and it is
expected that the Code could be readily modified to form the basis
of the voluntary Code, substantially reducing any costs in the
development of a voluntary Code.

A
voluntary Code would be required to comply with the ACCC’s
guidelines for developing effective voluntary industry codes of
conduct. The voluntary Code may also require authorisation by
the ACCC if it contravenes a provision of the Trades Practices Act,
which may extend the time required to develop the voluntary
Code.

CRAs would
not be required to be members of the voluntary Code. This may
lead to inconsistencies in the credit reporting system in ensuring
common compliance with the credit reporting provisions.

A
voluntary Code would not be enforceable by the OPC. This may
be seen by stakeholders (including consumers) as undermining the
reliability of the voluntary Code and the enforceability of any
consumer rights or industry obligations imposed by the voluntary
Code. This may detract from stakeholder trust in the
reliability of the credit reporting system.

It is
unlikely that the existence of the voluntary Code would discourage
new CRA industry entrants. As it will be voluntary, new
industry entrants would retain the discretion of not participating
in the voluntary Code. They would be able to establish their
own alternative procedures and processes that comply with the
requirements of the Privacy Act but do not match the detailed
guidance contained in the voluntary Code.

Credit
Providers - Benefits

This
option would not require the credit reporting industry to develop a
voluntary Code. It would be a matter for the industry to
decide whether or not to develop a voluntary Code. Any costs
involved in the development of a Code would not be imposed by
regulation but subject to commercial decisions about the costs and
benefits by the industry.

If the
credit reporting industry chooses to develop a voluntary Code, the
industry would remain in control of the development process.
Industry control over the code making process would:

· allow the
industry to apply detailed knowledge of industry practices to
determine the best procedures to ensure practical compliance with
the requirements of the Privacy Act

· provide
the industry with the flexibility to review the voluntary Code and
develop necessary changes as required by changes in industry
standards; and

A
voluntary Code would not require approval from the OPC, potentially
reducing costs and delays in implementation. However,
approval from the ACCC may be required depending on whether the
Code required consideration under the Trade Practices
Act.

A
voluntary Code would not impede new credit providers entering the
market as it would be a commercial decision whether or not the
credit provider subscribed to the voluntary Code.

The
ability of the credit reporting industry to develop and adhere to a
voluntary Code may assist the industry build greater trust by
individuals in the operational standards and reliability of credit
reporting practices.

Credit
Providers - Costs

The code
making process would require industry cooperation to develop
specific operational and procedural requirements. This is
expected to involve costs to the industry in the preparation of the
voluntary Code, including a cost to develop and draft the voluntary
Code. However, ARCA has already drafted a Code and it is
expected that the Code could be readily modified to form the basis
of the voluntary Code, substantially reducing any costs in the
development of a voluntary Code.

A
voluntary Code would be required to comply with the ACCC’s
guidelines for developing effective voluntary industry codes of
conduct. The voluntary Code may also require authorisation by
the ACCC if it contravenes a provision of the Trades Practices Act,
which may extend the time required to develop the voluntary
Code.

Credit
providers would not be required to be members of the voluntary
Code. This may lead to inconsistencies in the credit
reporting system in ensuring common compliance with the credit
reporting provisions.

A
voluntary Code would not be enforceable by the OPC. This may
be seen by stakeholders (including consumers) as undermining the
reliability of the voluntary Code and the enforceability of any
consumer rights or industry obligations imposed by the voluntary
Code. This may detract from stakeholder trust in the
reliability of the credit reporting system.

It is
unlikely that the existence of the voluntary Code would discourage
new consumer credit industry entrants. As it will be
voluntary, new industry entrants would retain the discretion of not
participating in the voluntary Code. They would be able to
establish their own alternative procedures and processes that
comply with the requirements of the Privacy Act but do not match
the detailed guidance contained in the voluntary Code.

Office of
the Privacy Commissioner - Benefits

The OPC
would face minimal, if any, costs when compared with Option
1. The OPC would not have a role in the voluntary Code making
process, although the industry may choose to consult the OPC for
guidance, and the OPC would not have a role in reviewing or
authorising the voluntary Code. In any enforcement actions
the OPC would not need to consult the voluntary Code in
interpreting the credit reporting provisions.

Office of
the Privacy Commissioner - Costs

The OPC
would not have control over directing the credit reporting industry
to develop a voluntary Code or the content of the voluntary
Code. As the development of a voluntary Code would not be
linked to the Privacy Act, the OPC would not be able to interpret
specific credit reporting provisions by referring to the voluntary
Code for practical assistance. This may lead to a fragmented
approach to the operation of the credit reporting provisions, which
may result in increased enforcement costs for the OPC, particularly
if individual consumer complaints increased. It may also lead
to increased business education costs for the OPC if it was
necessary to encourage and educate the industry to ensure greater
compliance with the requirements of the credit reporting
provisions. It is not possible to quantify these potential
costs as they would depend on the nature and severity of any
problems which may be encountered.

Small
Businesses - Benefits

Some small
businesses may be credit providers depending on whether they offer
goods or services on terms that involve credit. Businesses
are not required to participate in the credit reporting system and,
where small businesses chose not to do so, they would not be
affected by a voluntary Code. Where small businesses choose
to participate in the credit reporting system, participation in the
development and implementation of a voluntary Code would provide
them with greater certainty about the operation of the system and
may increase consumer trust in their compliance with the credit
reporting provisions.

Small
Businesses - Costs

A
voluntary Code would deal in detail with operational matters
arising from the adoption of more comprehensive credit
reporting. To the extent that small businesses decide to
participate in the credit reporting system and use more
comprehensive credit reporting information, they would need to
consider complying with the requirements of the voluntary
Code. It is not possible to quantify the possible compliance
costs for small businesses as there is no information available on
the number of small businesses likely to use more comprehensive
credit reporting .

Individuals
- Benefits

Individuals
would benefit from consistency in the type of practices engaged in
by credit reporting industry participants. Development of a
voluntary Code would provide consumer certainty around the
practices of participating industry members.

Individuals
- Costs

A
voluntary Code may not build consumer trust in the practices of the
industry or the dispute resolution procedures. Breaches of
the voluntary Code would not be enforceable by the OPC. If
the voluntary Code requires authorisation by the ACCC, there may be
consumer confusion around the appropriate regulator for dispute
resolution. It may be the case that not all CRAs or credit
providers participate in the voluntary Code, which may create
inconsistency and uncertainty for individuals in their dealings
with the industry and in resolving consumer complaints.

11.2.4
Further notes relevant to Options 2 and 3: the ARCA
Code

ARCA is
currently preparing an industry Code to provide safeguards for
business-to-business transactions involving consumer credit
information. Amongst other matters, the industry Code is
intended to regulate the operational processes by which credit
providers receive data from CRAs, as well as provide requirements
for how credit providers deal with customers on credit reporting
issues. The current members of ARCA are ABACUS (Australian
Building and Credit Union Societies, known as Australian Mutuals),
American Express, ANZ Bank, Bank of Queensland, Bank of Western
Australia, Citibank, Commonwealth Bank of Australia, GE Money, HBOS
Australia, HSBC Bank, National Australia Bank, St George Bank,
Telecom New Zealand, Westpac Bank, Dun and Bradstreet, and Veda
Advantage.

ARCA has
released a draft Credit Reporting Code of Conduct (the ARCA Code)
which it has prepared as a voluntary contractual Code between
members along the lines outlined in Option 3. However,
the draft ARCA Code provides that membership is mandatory for any
CRA with operations in Australian and for any credit provider who
wishes to use or disclose credit reporting information. The
ARCA Code would require all CRAs to ensure that organisations that
seek access to credit reporting information are signatories to the
Code or are otherwise bound by the Code provisions (e.g. via
contract or terms and conditions of access). It would also
allow regulators to require organisations to be bound by the Code
(for example as a condition of obtaining a licence).

ARCA’s
work in developing a Code on behalf of the industry means that much
of the work required to create a code has been commenced
satisfied. ARCA has undertaken a consultation process and
invited submissions from interested parties in April 2009. It
is understood that ARCA is currently in the process of considering
those submissions and revising the draft Code. Whether the
ARCA Code forms the basis for a voluntary Code under Option 3 or a
binding Code under Option 2, the document would need to undergo an
approval process by the appropriate regulator (the ACCC for Option
3 or the OPC for Option 2).

12
Consultation

12.1
ALRC Report Consultation

The ALRC
consulted with a wide variety of stakeholders which included CRAs,
credit providers, consumer advocates and the OPC. There was
broad support for the implementation of a new credit reporting
code. CRAs and the representative body ARCA were strongly in
favour of a new code, and as already demonstrated, ARCA is
preparing a draft credit reporting code. The OPC was also in
favour of a new code. In terms of legislative design, in
their submissions to the ALRC, the CRAs and ARCA originally
supported a binding code under Part IIIAA as outlined in Option
2.

Consumer
groups and privacy advocates generally favoured a binding code
approved by the Privacy Commissioner. Matters which were of
high importance for these groups were to ensure greater certainty
about data accuracy, security and appropriate EDR procedures and
processes.

12.2
Consultation since the release of the ALRC
Report

The
Government undertook extensive consultations with, and received
written submissions from, both the credit reporting industry and
advocates on the credit reporting recommendations.

The
Government held the public roundtable consultations in December
2008. There were 22 credit reporting industry attendees and
eight privacy and consumer advocate attendees. 15 written
submissions were received from the stakeholders. The Department
also held a large number of one-on-one meetings with stakeholders
in the first half of 2009 to discuss the application of the
ALRC’s recommendations.

The views
of privacy and consumer advocates remained largely unchanged since
the publication of the ALRC Report, and they reinforced their
support for a mandatory credit reporting code approved by the
OPC. One large credit provider similarly stressed that there
should be only one regulator responsible for enforcement of the
code.

The
position of ARCA and CRAs in relation to the design of a code
changed from their original submission to the ALRC. They have
submitted that that code should not be binding under the Privacy
Act as under Option 2 and favour instead the adoption of a
contractual code similar to Option 3.

13
Conclusion and Recommended Option

Option 2
is preferred. Unlike Option 1, Option 2 provides the consumer
credit industry with sufficient flexibility and discretion to
ensure that the requirements of the Code adequately address
industry practice, while at the same time providing the Privacy
Commissioner with the power to determine (through the approval
process) whether the Code is consistent and compliant with the
requirements of the Privacy Act. Option 2 provides for a
legally binding Code, which will allow the Privacy Commissioner to
ensure an appropriate balance between the privacy needs of
individuals and the operational needs of the consumer credit
industry. This is not available under Option 3. The
requirement under Option 2 for any organisation which wants to
participate in the credit reporting system to be a member of the
binding Code will ensure consistency in practices across the
consumer credit industry. Furthermore, a binding code under
the jurisdiction of the Privacy Act (in contrast to a contractual
code under Option 3) allows the OPC to interpret specific credit
reporting provisions with reference to the Code. This will
aid in efficient and consistent complaint resolution for
individuals, whether the complaints deal with matters regulated
directly by the Privacy Act or by the Code. In addition, the
likely costs for industry in complying with a Code developed under
Option 2 are expected to be reduced. The consumer credit
industry has already developed and complies with the ARCA Code,
which it is expected would form the basis for the new industry
developed Code of Conduct under Option 2. The use of the ARCA
Code is also likely to reduce the costs to industry in developing a
voluntary Code under Option 3. However, the voluntary Code
would not be binding on industry and would not establish the same
level of certainty around industry practices and consumer complaint
resolution procedures as an industry developed Code under Option
2.

14.
Implementation and Review

The
Government will release a public response to the ALRC Report.
The Government has announced that the first step in the
implementation of the Government response will be to release
exposure draft legislation for public comment.

The ALRC
recommended the Government initiate a review of the new credit
reporting provisions five years after their commencement. [37]
The Government will consider this recommendation in the Government
response to the ALRC report.

Statement
of Compatibility with Human Rights

Prepared
in accordance with Part 3 of the Human Rights (Parliamentary
Scrutiny) Act 2011

This Bill
is compatible with the human rights and freedoms recognised or
declared in the international instruments listed in section 3 of
the Human Rights (Parliamentary Scrutiny) Act
2011 .

Overview
of the Bill

The Privacy Amendment Bill 2012 (the Bill) will amend the
Privacy Act 1988 (the Act) to implement the
Government’s first stage response to the Australian Law
Reform Commission’s report number 108 For Your
Information: Australian Privacy Law and Practice.
The ALRC, which had undertaken a comprehensive review of
privacy law in Australia, released its report in May 2008. Given
the large number of recommendations, the Government announced that
it would respond in two stages. The Government’s first
stage response addressed 197 of the ALRC’s 295
recommendations. The Bill implements the major elements of
the first stage response.

The Bill will amend the Act to:

·
create the Australian Privacy Principles (APPs), a single set of
privacy principles applying to both Commonwealth agencies and
private sector organisations, setting
out the standards, rights and obligations for the collection,
storage, security, use, disclosure and quality of personal
information , which will replace the
Information Privacy Principles (IPPs) for the public sector and
National Privacy Principles (NPPs) for the private
sector,

·
introduce more comprehensive credit reporting, and

·
clarify the functions and powers of the Privacy Commissioner and
improve the Commissioner’s ability to resolve complaints,
recognise and encourage the use of external dispute resolution
services, conduct investigations and promote compliance with
privacy obligations.

The Bill will reduce complexity, increase consistency and clarify
rights and obligations under the Act and improve usability for
entities required to comply with the Act, while continuing to
protect the privacy rights of individuals. The credit reporting
provisions will be re-written to more effectively address the
significant changes and increased practical complexity in the
operation of the credit reporting system since the provisions were
enacted in 1990. In introducing more comprehensive credit
reporting the rights of individuals will be enhanced, including
rights to access and correct their credit reporting
information.

The Act currently provides for the development of APP Codes for
particular sectors to guide their use of personal information. The
Bill replaces
the existing privacy codes and the credit reporting code with APP
codes and the Credit Reporting Code of Conduct. The Bill
will allow the Privacy Commissioner to
create a binding code for the sector following consultation in
circumstances where the private sector does not create its own
Code, or the Code is found to not appropriately regulate the
sector’s use of information. All Codes, APP or Credit
Reporting, are deemed disallowable legislative instruments by the
amendments in the Bill, and will therefore be subject to
Parliamentary scrutiny and accompanied by their own Statement of
Compatibility with human rights.

Human
rights implications

The Bill engages the following human rights:

the
protection against arbitrary interference with privacy

the right
to freedom of expression and opinion, and

the right
to a fair trial.

Protection against arbitrary interference with
privacy

The Bill
engages Article 17 of the International Covenant on Civil and
Political Rights (ICCPR), which provides that no one shall be
subjected to arbitrary or unlawful interference with his or her
privacy, family, home or correspondence, nor to unlawful attacks on
his or her honour and reputation, and that everyone has the right
to the protection of the law against such interference or
attacks.

The Bill
protects against arbitrary interference with privacy by introducing
a number of specific protections, including enhanced
notification (APP 5), data quality (APP 10), data correction (APP
13) and dispute resolution mechanisms for individuals. In
particular, these measures involve:

· enhancing
obligations on agencies and organisations regarding an
individual’s access to, and correction of, their personal
information, accompanied by a revised approach to complaints
handling, including timeframes for notification and the use of
alternative dispute resolution for credit reporting complaints, to
more efficiently deal with complaints

· prohibiting
the collection of credit reporting information about individuals
reasonably known to be under 18

· in
circumstances of suspected identity theft or fraud, providing
individuals with the ability to prohibit, for a specified period of
time, the disclosure of credit reporting information about them
without their express authorisation

· requiring
entities to develop and publish more comprehensive privacy policies
to promote more open and transparent management of personal
information

· introducing
a requirement for Commonwealth government agencies to accord higher
privacy protection to ‘sensitive
information’

· ensuring
that personal information that is received by an entity is still
afforded privacy protections, even where the entity has done
nothing to solicit the information

· broadening
the matters that that an individual is to be made aware of at the
time of collection of the personal information of the
individual

· introducing
a new ‘Direct Marketing’ principle, that will place
extra limitations on organisations that use or disclose personal
information to promote or sell goods or services directly to
individuals

· improving
corrections and complaints processes for consumers, including
allowing complaints to be made directly to the Privacy Commissioner
in certain circumstances

·
clarifying the functions and powers of the Privacy Commissioner to
improve the Commissioner’s ability to resolve complaints,
recognise and encourage the use of external dispute resolution
services, conduct investigations and promote compliance with
privacy o bligations

·
ensuring the Commissioner has the flexibility to apply the Act to
existing and emerging technologies and to enforce compliance where
necessary, and

· requiring
entities to ensure that obligations to protect personal information
set out in the APPs cannot be avoided by disclosing personal
information to a recipient outside Australia.

Reasonably necessary

A key
objective of the Act is to balance the protection of the privacy of
individuals, with the interests of public and private sector
entities in carrying out their lawful and legitimate functions and
activities. The Bill enables the personal information of an
individual to be collected, used and disclosed in particular
circumstances (e.g. APP 3 and APP 6). Collecting,
using, storing and sharing personal information, including its
release without an individual’s knowledge or consent, all
amount to interferences with privacy. In order for an
interference with the right to privacy to be permissible, the
interference must be authorised by law, be for a legitimate
objective and be reasonable, necessary and proportionate to that
objective.

One
threshold standard that will apply in the APPs in certain
circumstances is where an entity is able to undertake activities
with personal information where it is ‘necessary’ for a
particular purpose, function or activity. For example, an
entity may collect sensitive information without consent if the
entity reasonably believes that the collection is necessary to
lessen or prevent a serious threat to the life, health or safety of
an individual, or to public health and safety (APP 3.4 and s
16). These limitations are consistent with the prohibition on
arbitrary interference with privacy as they are directed at
legitimate objectives and are reasonable, necessary and
proportionate to those objectives.

The Bill
also enables the personal information of an individual to be
collected, used and disclosed in certain circumstances where it is
‘reasonably necessary’ for one or more of the
entity’s functions or activities (agencies also have a
‘directly related’ test) (APP 3 and 6). It is
reasonable for these entities to be able to handle personal
information in these circumstances to promote the
Government’s service delivery, taxation, law enforcement and
national security objectives, and the needs of business to offer
services to the public. This is how the test has operated
under the National Privacy Principles since their enactment in
2001. The permitted activities are limited to specific
purposes (ie an entity’s functions and activities), and
subject to additional safeguards in the case of sensitive
information. For these reasons, the ‘reasonably
necessary’ threshold is consistent with the protection
against arbitrary interference with privacy, subject to the
additional safeguards in the case of sensitive information (APP 3.3
and 3.4).

Comprehensive
credit reporting

The Bill
implements the ALRC’s recommendations to move to a more
comprehensive credit reporting system. In this respect, the Bill
may limit the prohibition on arbitrary interference with privacy by
adding five new categories to the types of personal information
that make up an individual’s credit information in the credit
reporting system. Four of the new categories, which are introduced
in the new definition of consumer credit liability
information in subsection 6(1), are:

the type
of credit account opened

the date
on which the consumer credit is entered into

the date
on which the consumer credit is terminated, and

the
current limit of the credit account.

The fifth
category, repayment history information, is added directly to the
definition of credit information, at part (c) of clause 6N of the
Bill.

The Act
currently enables the collection and disclosure of personal
information that primarily detracts from an individual’s
credit worthiness—such as the fact that an individual has
defaulted on a loan. This is commonly referred to as
‘negative’ or ‘delinquency-based’ credit
reporting. The introduction of comprehensive credit reporting is
aimed at providing a more balanced and accurate picture of an
individual’s credit situation than currently exists,
providing positive information about a person’s credit
situation such as when an individual has met their credit payments.
The introduction of more comprehensive credit reporting allows
credit providers to access an enhanced set of personal information
tools directly relevant to establishing an individual’s
credit worthiness. This will allow credit providers to make a
more robust assessment of credit risk, which is expected lead to
lower credit default rates. More comprehensive credit reporting is
also expected to improve competition in the credit market, which
may result in reductions to the cost of credit for individuals. The
amendments will enable legitimate commercial activity, facilitating
consumer lending and transactions, and thus the participation of
individuals in the economy. These are legitimate
objectives.

The Bill
introduces a number of safeguards to provide individuals with the
tools to access information held about them, and correct any
inaccuracies. The Bill also makes improvements to the
complaints process, to ensure that the first organisation to
receive the individual’s complaint is responsible for taking
action. In moving to more comprehensive credit reporting it
has been recognised that additional safeguards around the use of
repayment history information, the fifth new category of
information, are also necessary. Repayment performance history will
only be available by credit providers who are licensees [and to
lenders mortgage insurers in relation to services they provide to
credit providers] and subject to the responsible lending
obligations in the National Consumer Credit Protection Act 2009
(Cth) . [38]

The Bill
continues to state clearly defined and limited uses and disclosures
for credit reporting information. The Government did not support
the ALRC’s recommendation that secondary uses of credit
reporting information should be subject to a broad discretion
exercised by credit reporting bodies or credit providers. The
Government’s approach ensures any effect on privacy rights is
proportionate and limited by the introduction of specific
safeguards, including:

· only
de-identified information can be used for the purpose of research,
and the research must be reasonably connected to the credit
reporting system, and

· the use of
credit reporting information for the purposes of pre-screening is
expressly limited to the purpose of excluding adverse credit risks
from marketing lists.

Pre-screening is subject to specific requirements, including only
the use of negative credit reporting information, the requirement
for notice at the time of collection that information may be used
for this purpose, an opt out opportunity, and a prohibition on
individuals being identified for other direct marketing . Any
entity involved in pre-screening must maintain auditable evidence
to verify compliance, and which is available to individuals.
Pre-screening is also only available to credit providers who are
subject to the National Consumer Credit Protection Act 2009
(NCCP Act).

In the
consumer credit environment it is important to achieve a balance
between privacy protection and the efficient operation of the
credit market. Access to narrowly defined categories of credit
information to ensure a more balanced picture of an
individual’s credit situation, taking into account positive
action such as payment, and not just negative information like
defaults, and to allow for more effective risk assessment by credit
providers is balanced with the enhanced privacy protections set out
above.

Any
limitations on the prohibition against arbitrary interference with
privacy in the Bill are clearly and narrowly defined, for the
legitimate purpose of improving the management of personal and
credit reporting information, and accompanied by sufficient
safeguards to maintain reasonable privacy protections. The
measures are reasonable, necessary and proportionate as they ensure
the smallest possible set of data is used for the narrowest
purposes to achieve the objective of providing a functional
consumer credit market.

Freedom of
expression

The Bill
engages Article 19 of the ICCPR. Article 19 guarantees
freedom of expression, including the right to impart and to receive
information. The freedom of expression is not an absolute right,
and Article 19(3) of the ICCPR
specifies the legitimate aims which any legal restriction on the
exercise of freedom of expression must pursue. In this case the
Bill limits the right to freedom of expression in order to promote
respect for the rights or reputations of others, namely the
protection against arbitrary interference with privacy in Article
17.

The
Commissioner has the ability to create binding codes in certain,
defined circumstances (new Part IIIB inserted by Schedule 3). Codes
will provide additional protections over and above the APPs. Codes
cannot displace or provide for a lower standard of privacy
protection than the APPs. The ability of the Commissioner to create
binding codes may in certain circumstances limit the code
developers’ (which could be any entity subject to the Act)
right to freedom of expression. Not every code will impinge on this
right. The performance of the functions and powers of the
Commissioner, including the development of a binding code, continue
to be governed by Section 29 of the Act, which requires the
Commissioner to have regard to, amongst other things, the
protection of important human rights and social interests that
compete with privacy. [39] Section 29
also provides that the Commissioner must take account of
international obligations accepted by Australia and any developing
international guidelines relevant to the better protection of
individual privacy. When issuing directions and
guidelines the Commissioner must also ensure they are consistent
with any relevant APPs or credit reporting provisions. As
noted above, all Codes will be disallowable legislative
instruments, subject to Parliamentary scrutiny, and required to be
accompanied by their own Statement of Compatibility with human
rights. These safeguards ensure that the limitation the Bill places
on the right to freedom of expression is reasonable, necessary and
proportionate.

Fair
trial

The Bill
engages Article 14 of the ICCPR, which guarantees a person be
afforded, in the determination of any criminal charge against them,
the right to a fair trial. The United Nations Human Rights
Committee has stated that the notion of criminal charges may
‘also extend to acts that are criminal in nature with
sanctions that, regardless of their qualification in domestic law,
must be regarded as penal because of their purpose, character or
severity’. [40]

The Bill
removes many of the criminal offences in the Act, replacing them
with civil penalty provisions. [41]
The civil penalty provisions, such as those in Subdivision D of
Part IIIA, are declared not to be offences under Part VIB. While
the provisions provide for significant civil penalties it is
considered that serious breaches of privacy should attract serious
penalties. This is consistent with the civil penalties in the NCCP
Act, and with the Government’s overall response to serious
breaches by corporations.

The Bill
incorporates appropriate safeguards into the civil penalty
provisions of the Bill [42] .
It stipulates that in determining pecuniary penalties a court must
take all relevant matters into account, including the circumstances
of the contravention, the nature and extent of any loss or damage
suffered because of the contravention and whether the entity has
previously been found to have engaged in similar conduct. The
Bill provides that an entity will not be liable for more than one
pecuniary penalty in relation to the same conduct. These provisions
will ensure that pecuniary penalties are proportionate to any
contravention of a civil penalty provision, and protect the rights
expressed in Article 14.

Conclusion

The Bill
is compatible with human rights because it advances the protection
of human rights, primarily protection against arbitrary
interference with privacy, and, t o the extent that it may also limit other human rights,
those limitations are reasonable and proportionate.

PRIVACY
AMENDMENT (ENHANCING PRIVACY PROTECTION) BILL 2012

NOTES ON
CLAUSES

List of
Abbreviations

APP
Australian Privacy Principle

Information
Commissioner Australian Information
Commissioner

IPP
Information Privacy Principle

NPP
National Privacy Principle

OAIC
Office of the Australian Information Commissioner

Privacy
Act
Privacy Act 1988
NOTES ON CLAUSES

Clause
1 Short
title

Clause 1
sets out the title by which the Bill, when enacted, is to be cited
- Privacy Amendment (Enhancing Privacy Protection) Act
2012 .

Clause
2
Commencement

Clause 2
inserts a table which provides for the commencement arrangements
for each of the provisions in the table. Column 1 states the
provision number, and column 2 provides the commencement
arrangements for that particular provision.

The table
provides that sections 1 to 3 and any other provision in the Act
that is not provided for in the table commences on the day the Act
receives the Royal Assent. The table also provides that Items 156
and 162 of Schedule 5 and Parts 1 and 4 of Schedule 6 also commence
on the day the Act receives the Royal Assent.

The
majority of the new provisions have a deferred commencement of 9
months from the day after the Bill receives the Royal Assent. This
deferment is to allow agencies and organisations sufficient time to
prepare for the introduction of the new provisions, particularly
for the credit reporting provisions. The table in Clause 2 provides
that the following provisions commence the day after the end of the
period of 9 months beginning on the day this Act receives the Royal
Assent:

Schedules
1 to 4, Items 1 to 70, 72 to 79, 81 to 131, 133 to 155, 157 to 161,
163 to 171, and 173 to 180 of Schedule 5, and Parts 2, 3, 5, 6, and
7 of Schedule 6.

Item 71 of
Schedule 5 relates to the operation of the Personally Controlled
Electronic Health Records Act 2012 (Personally Controlled
Electronic Health Records Act). Item 71 of Schedule 5 does not
commence at all if section 73 of the Personally Controlled
Electronic Health Records Act does not commence. If that provision
does commence, Item 71 of Schedule 5 of this Bill commences
immediately after its commencement, or the start of the day after
the end of the period of 9 months beginning on the day this Bill
receives the Royal Assent, whichever occurs later.

This
situation also applies to Item 80 of Schedule 5, which relates to
the operation of the Stronger Futures in the Northern Territory Act
2012 (Stronger Futures in the Northern Territory Act). Item 80 of
Schedule 5 does not commence at all if section 105 of the Stronger
Futures in the Northern Territory Act does not commence. If that
provision does commence, item 80 of Schedule 5 commences
immediately after its commencement, or the start of the day after
the end of the period of 9 months beginning on the day this Bill
receives the Royal Assent, whichever occurs later.

This
commencement arrangement also applies to item 132 Schedule 5, which
relates to the commencement of item 24 of Schedule 5 of the
Consumer Credit and Corporations Legislation Amendment
(Enhancements) Act 2012 , and item 172 of Schedule 5 which
relates to the commencement of item 32 of Schedule 1 of
Personally Controlled Electronic Health Records (Consequential
Amendments) Act 2012 .

Clause
3
Schedule(s)

This
clause provides for each Act specified in a Schedule to the Bill to
be amended in accordance with the items set out in the relevant
Schedule. Schedule
1—Australian Privacy Principles

Introduction

Outline of
this schedule

This
schedule amends the Privacy Act to include the new Australian
Privacy Principles (APPs). The APPs will be the cornerstone
of the privacy protection framework of the Privacy Act. The
APPs will replace the Information Privacy Principles (IPPs), which
applied to Commonwealth agencies, and the National Privacy
Principles (NPPs), which applied to certain private sector
organisations. As with these former principles, the APPs will
regulate the collection, holding, use and disclosure of personal
information that is included in records. Schedule 1 also
contains amendments to definitions to either replace or clarify
them, or add more definitions to deal with new
terms.

Principles
based legislation

The APPs
will be principles-based law. The best regulatory model for
information privacy protection in Australia is this type of
law. By continuing to use high-level principles, the Privacy
Act regulates agencies and organisations in a flexible way.
They can tailor personal information handling practices to their
diverse needs and business models, and to the equally diverse needs
of their clients.

The
Privacy Act combines principles-based law with more prescriptive
rules where appropriate. This regulation is complemented by
guidance and oversight by the regulatory body, the Office of the
Australian Information Commissioner (OAIC). This is
comparable to international regulatory models in jurisdictions such
as Canada, New Zealand and the United Kingdom.

Structure

The order
in which the APPs appear is intended to reflect the cycle that
occurs as entities collect, hold, use and disclose personal
information.

This
broadly consists of the following stages:

·
planning in advance how to meet obligations in relation to the
handling of personal information;

·
considering whether information may or should be collected;

·
collecting information;

·
providing notification of collection to the individual
concerned;

·
using or disclosing the information for the purpose for which it
was collected or for an allowable secondary purpose;

·
maintaining the integrity of personal information by securely
storing it and ensuring its quality; and

·
when the information is no longer necessary for the functions or
activities of the entity, destroying it or ensuring that it is no
longer personal information.

To this
end, the APPs have been set out in Parts that move through each of
the above elements of the information-handling
chain.

Part 1
sets out principles that require APP entities to consider the
privacy of personal information , including ensuring that APP entities manage
personal information
in an open and transparent way.

Part 2
sets out principles that deal with the collection of personal
information
including unsolicited personal information.

Part 3
sets out principles about how APP entities deal with personal
information and
government related identifiers. The Part includes principles
about the use and disclosure of personal information and those
identifiers.

Part 4
sets out principles about the integrity of personal
information . The
Part includes principles about the quality and security of personal
information.

Part 5
sets out principles that deal with requests for access to, and the
correction of, personal information.

Key
concepts - definition of ‘personal
information’

The
definition of ‘personal information’ has been modified
to implement the Government’s acceptance of ALRC
Recommendation 6-1.

It is
important that this key definition be sufficiently flexible and
technology-neutral to encompass changes in the way that information
that identifies an individual is collected and handled. The
ALRC’s recommended definition continues to allow this
approach and also brings the definition in line with international
standards and precedents.

The
proposed definition does not significantly change the scope of what
is considered to be personal information. The application of
‘reasonably identifiable’ ensures the definition
continues to be based on factors which are relevant to the context
and circumstances in which the information is collected and
held.

Consistent
with the Government’s response to ALRC Recommendation 6-2,
the Government encourages the development and publication of
appropriate guidance by the OAIC about the meaning of
‘identified or reasonably identifiable’. This
will be useful in assisting organisations, agencies and individuals
to understand the application of the new definition, especially
given the contextual nature of the definition.

Key
concepts - ‘reasonably necessary’

A number
of the APPs allow for collection, use or disclosure where the
entity believes that the collection, use or disclosure is
‘reasonably necessary’ for a particular purpose.
It is intended that this be interpreted objectively and in a
practical sense. It is not intended to provide a lower level
of protection compared with the existing NPPs, where an objective
test is implied.

In
relation to the requirement that an entity must not collect, use or
disclose personal information unless it is reasonably necessary for
a particular purpose, function or activity, this is intended to
reflect the following. The first is that the collection, use
or disclosure is reasonably necessary to pursue that particular
purpose, function or activity. Whether the collection, use or
disclosure is reasonably necessary is to be assessed from the
perspective of a reasonable person (not merely from the perspective
of the entity proposing to undertake the
activity).

Where a
reasonable person would not regard the purpose, function or
activity in question as legitimate for that type of entity, the
collection, use or disclosure of personal information will not be
‘reasonably necessary’ even if the entity cannot
effectively pursue that function or activity without collecting,
using or disclosing the personal information.

Key
concepts - requirement to take reasonable
steps

A number
of the APPs require an entity to take ‘reasonable
steps’. The expression ‘such steps as are
reasonable in the circumstances’ is intended to be
interpreted as being similar in meaning to the term
‘reasonable steps’ used in the NPPs.
Specifically, the term requires an objective assessment, and
the addition of the words ‘in the circumstances’ is
only intended to highlight that when considering what are
objectively reasonable steps the specific circumstances of each
case must be considered. In some cases, the words ‘(if
any)’ are used to ensure that, in that particular case, if
there are no steps that an entity needs to take to fulfil its
obligations, it need not take any steps.

Key
concepts - consent

Consent is
a defined concept within the current Privacy Act which will be
retained in the amended Act. Consent is defined to mean
‘express consent or implied consent’. Express
consent exists where a person makes an informed decision to give
their voluntary agreement to collection, use or disclosure taking
place.

Whether
consent can be said to be implied depends entirely on the
circumstances. Consent may be implied when, in the
circumstances, the individual and the relevant entity have each
engaged in conduct that means that it can be inferred the
individual has consented, even though the individual may not have
specifically stated that he or she gives consent.

Consent,
in many circumstances, can be withdrawn at any time. In such
circumstances, the consent no longer exists, and an entity would no
longer be able to rely on consent having been given when dealing
with the individual’s personal information.

Consistent
with the Government’s response to ALRC Recommendation 19-1,
the Government encourages the development and publication of
appropriate guidance by the OAIC about what is required of agencies
and organisations to obtain an individual’s consent for the
purposes of the Privacy Act.

Treatment
of ‘sensitive information’

Schedule 1
implements the Government’s agreement with the ALRC that the
community expects ‘sensitive information’ to be
afforded higher privacy protections than personal information that
is not sensitive. These protections will apply regardless of
whether sensitive information is held by agencies or
organisations. These requirements include that sensitive
information may not be collected except where permitted by
specified exceptions. These exceptions reflect the public
interest in allowing entities to perform certain functions and
activities.

Item
1
Section 3

Item 1
will amend section 3 of the Privacy Act by removing the reference
to the ‘transfer’ of information. Section 3
provides that the Privacy Act does not affect the operation of
State and Territory legislation that deals with the same subject
matter and is capable of operating concurrently with the Privacy
Act.

As a
result of the changes in terminology from the NPPs to the APPs,
reference to the ‘transfer’ of information is
unnecessary. NPP 9 deals with transborder data flows and uses
the term ‘transfer’. However, APP 8, which deals
with cross-border disclosure of personal information, uses the term
‘disclosure’. The term ‘transfer’ is
not otherwise used in the APPs. To ensure that section 3
accurately sets out the content of corresponding State and
Territory privacy laws that are to be saved, it is necessary to
omit reference to ‘transfer’.

Item
2
Section 3 (note)

Item 2
will amend section 3 of the Privacy Act by replacing the reference
to the NPPs with a reference to the APPs.

Item
3
Section 5

Item 3
will repeal section 5 of the Privacy Act, which is no longer
necessary as it deals with the interpretation of the IPPs, which
will be replaced by the APPs. New section 14 of the Privacy
Act will note that the APPs are set out in Schedule 1 of the
Privacy Act, and that a reference to an APP by a number is a
reference to an APP with that number.

Item 4
Subsection 6(1) (paragraph (i) of the definition of
‘agency’)

Item 4
will repeal paragraph (i) of the definition of ‘agency’
in subsection 6(1) of the Privacy Act, which refers to an
‘eligible case manager’ (see Item 15).

Item
5
Subsection 6(1)

Item 5
will insert a definition of ‘APP complaint’ into
subsection 6(1) of the Privacy Act. This definition means a
complaint about an act or practice that, if established, would be
an interference with the privacy of an individual because it
breached an APP. A separate definition is required for an
‘APP complaint’ to distinguish it from other types of
complaints under the Privacy Act (for example, ‘code
complaints’, and complaints relating to the handling of
credit reporting information).

Item
6
Subsection 6(1)

Item 6
will insert a definition of ‘APP entity’ into
subsection 6(1) of the Privacy Act.

Under the
current Act, the IPPs apply to Commonwealth agencies, while the
NPPs apply to certain private sector organisations. Under the
amendments in the Bill, both agencies and organisations will be
regulated by the APPs. It is therefore necessary to include a
definition that includes both types of
entities.

Item 7
Subsection 6(1)

Item 7
will insert a definition of ‘APP privacy policy’ into
subsection 6(1) of the Privacy Act. The definition is
included in APP 1.3, which states that, ‘[a]n APP entity must
have a clearly expressed and up-to-date policy (the APP privacy
policy ) about the management of personal information by the
entity’. The intention of APP 1 is to ensure that APP
entities manage personal information in an open and transparent
way. APP 1 also contains requirements about the content of an
APP privacy policy and its availability.

Item
8
Subsection 6(1)

Item 8
will insert a definition of ‘Australian law’ into
subsection 6(1) of the Privacy Act. The definition addresses
the Government’s acceptance in principle of ALRC
Recommendation 16-1 that it should include a reference to
‘common law or equitable duties’, but exclude
‘contracts’. In that response, the Government
also noted that while a definition will provide a degree of
clarity, the meaning of ‘law’ is best determined on a
case-by-case basis. The Government also outlined some
relevant considerations in determining the application of the
required or authorised by law exemption, but also in determining
whether an applicable law is relevant under the Privacy
Act.

The
definition has been included to clarify the scope of provisions
that allow collection, use or disclosure where it is required or
authorised by or under law. Currently there is no definition
of ‘law’ in the Privacy Act and it generally takes its
ordinary meaning. The ALRC found that there was a degree of
uncertainty around the definition and that an inclusive definition
should be expressly set out to create greater
clarity.

Item
9
Subsection 6(1)

Item 9
will insert a definition of ‘Australian Privacy
Principle’ into subsection 6(1) of the Privacy Act. The
definition refers to section 14 of the amended Act, which is a
provision ensuring that a reference in any Act to an APP by a
number is a reference to the APP with that number.

Item
10
Subsection 6(1)

Item 10
will insert a definition of ‘collects’ into subsection
6(1) of the Privacy Act.

The
definition will capture the substance of section 16B of the Privacy
Act and IPPs 1-3, namely that the Privacy Act applies to personal
information collected by entities regulated by the Privacy Act for
inclusion in a record or generally available publication.
Section 16B of the Privacy Act and the IPPs will be
repealed.

Item 11
Subsection
6(1)

Item 11
will insert a definition of ‘Commonwealth record’ into
subsection 6(1) of the Privacy Act, which will have the same
meaning as in the Archives Act 1983 (Archives Act).
That expression appears in APPs 4 and 11, and ensures that certain
requirements under the Archives Act relating to the retention of
Commonwealth records will apply notwithstanding requirements in the
APPs relating to destruction of personal
information.

Item
12
Subsection 6(1)

Item 12
will insert a definition of ‘court/tribunal order’ into
subsection 6(1) of the Privacy Act. The inclusion of
orders of courts or tribunals as part of clarifying the scope of
the ‘required by or authorised by or under law’
exceptions is ALRC Recommendation 16-1, which the Government
accepted. This definition gives the broadest interpretation
to the concept and is consistent with that terminology as it
appears in other laws and regulations (for example, Legislative
Instruments Regulations 2004).

Item
13
Subsection 6(1)

Item 13
will insert a definition of ‘de facto partner’ into
subsection 6(1) of the Privacy Act. This contains a
cross-reference to the meaning of that expression in the Acts
Interpretation Act (see section 2D). This definition is
relevant to subsection 6(10) of the Privacy Act, which provides
that a ‘de facto partner of the individual’ is taken to
be included within the concept of a ‘family’ for
certain purposes.

Item 14
Subsection
6(1)

Item 14
will insert a definition of ‘de-identified’. This
will provide that personal information is
‘de-identified’ if the information is no longer about
an identifiable individual or an individual who is reasonably
identifiable. This term is used in the APPs and the credit
reporting provisions.

Item
15
Subsection 6(1) (definition of ‘eligible case
manager’)

Item 15
will repeal the definition of ‘eligible case manager’
in subsection 6(1) of the Privacy Act.

The
concept of ‘eligible case manager’ came from the
Employment Services Act 1994 , which was repealed by the
Financial Framework Legislation Amendment Act (No. 1)
2006 . It is therefore no longer necessary to include that
definition. All references to ‘eligible case
manager’ are being removed from the Privacy
Act.

Item 16
will insert a reference to the CrimTrac Agency into the definition
of ‘enforcement body’ in subsection 6(1) of the Privacy
Act.

The
CrimTrac Agency is the national information-sharing service for
Australia's police, law enforcement and national security
agencies. It enables police agencies to share policing
information with one another across Australia's state and territory
borders. In view of its enforcement related functions and
activities, and the type of information it collects, uses and
discloses, it is appropriate to include the CrimTrac Agency in the
definition of ‘enforcement body’. This will
enable it to collect personal and sensitive information for its
legitimate functions and activities, and to enable such information
to be used or disclosed on its behalf for an ‘enforcement
related activity’.

Item 17
will insert a reference to the ‘Immigration
Department’. That will be a new definition in section 6
of the Privacy Act referring to the Department administered by the
Minister administering the Migration Act 1958 (Migration
Act).

Currently,
this is a reference to the Department of Immigration and
Citizenship (DIAC). The effect of this addition is that DIAC
have the ability to collect personal and sensitive information for
its functions and activities (subject to the additional requirement
in APP 3.4 that the collection of sensitive information without
consent be limited to its enforcement related activities), and will
have the ability to have information used or disclosed on its
behalf for an enforcement related activity.

In view of
DIAC’s enforcement related functions and activities, and the
type of information it collects, uses and discloses, it is
appropriate to include it in the definition of ‘enforcement
body’. However, given that it has a range of
non-enforcement functions and activities, it will be limited in the
collection of sensitive information to its ‘enforcement
related activities’.

Item 18
will include the Office of the Director of Public Prosecutions
(DPP) or similar bodies established under a law of a State or
Territory in the definition of ‘enforcement body’ in
subsection 6(1) of the Privacy Act. A body will be
‘similar’ to the DPP if it has similar enforcement
related functions. A clear example of such a body is a State
DPP.

The
functions and activities of the Commonwealth and State/Territory
DPPs include prosecuting criminal offences, preparing for, or
conducting, proceedings before courts, and applying for orders
relating to the confiscation of proceeds of crime. The DPP offices
may, to some extent, come within the existing definition of
‘enforcement body’ through existing paragraphs (f) and
(g) of that definition. However, to avoid any doubt about
whether the DPP offices are enforcement bodies, it is necessary to
include them in the definition.

Item 19
will include the Corruption and Crime Commission of Western
Australia (CCCWA) in the definition of ‘enforcement
body’ in subsection 6(1) of the Privacy Act.

The CCCWA
was established on 1 January 2004, under the Corruption and
Crime Commission Act 2003 , as a permanent investigative
commission with the same powers as a Royal Commission. The
CCCWA assists the Western Australia Police Service to combat
organised crime by granting them special powers, and helps public
sector agencies minimise and manage misconduct.

CCCWA is
included for consistency, so that all currently-existing State
integrity bodies are listed.

Item
20
Subsection 6(1)

Item 20
will insert a definition of ‘enforcement related
activity’ into subsection 6(1) of the Privacy Act.

The
definition will substantially capture the matters covered by NPP
2.1(h), which creates an exception to the prohibition against
organisations using or disclosing personal information for a
secondary purpose by listing a number of activities conducted by or
on behalf of law enforcement bodies in respect of which personal
information may be used or disclosed.

The
definition of ‘enforcement related activity’ will
replicate this list but add paragraphs to ensure that the
definition covers the conduct of surveillance activities,
intelligence gathering activities and other monitoring activities
as well as protective or custodial activities. These types of
activities have been included to update and more accurately reflect
the range of activities that law enforcement agencies currently
undertake in performing their legitimate and lawful
functions.

The
definition is used in APPs 6 and 8 and will enable certain uses and
disclosures of personal and sensitive information which may
otherwise be a breach of those APPs. The definition
recognises that the limited use and disclosure of personal
information for criminal law enforcement purposes is in the public
interest when balanced with the interest in protecting an
individual’s privacy.

Item
21
Subsection 6(1)

Item 21
will insert a definition of ‘entity’ into subsection
6(1) of the Privacy Act.

In the
amended Privacy Act, ‘entity’ will mean ‘an
agency, or an organisation or a small business
operator’. Generally, while the APPs will not apply to
small business operators, they may be regulated under provisions of
Part IIIA (credit reporting).

Item 22
will update the definition of ‘generally available
publication’ in subsection 6(1) of the Privacy
Act.

The new
definition will explicitly state that a publication is a generally
available publication whether or not payment of a fee is required
to access it. The new definition is also more technologically
neutral, in that it clearly covers material available
electronically, including on the internet.

The
amendment is not intended to suggest that any website or
publication available on the internet is a generally available
publication. An assessment must be made on a case-by-case
basis, taking into account all relevant circumstances, such as the
extent to which access to the publication or website is restricted
in some way.

Item
23
Subsection 6(1)

Item 23
will insert a definition of ‘government related
identifier’ into subsection 6(1) of the Privacy
Act.

Government
related identifiers are specifically assigned by one of a range of
specifically listed government-related bodies (in paragraphs
(a)-(d) of the definition) and are used to identify an individual
or verify the identity of the individual. The definition
extends to State and Territory authorities as well as Commonwealth
agencies. Examples of government related identifiers include
Medicare numbers and driver’s licence numbers.

Item
24
Subsection 6(1)

Item 24
will insert a definition of ‘holds’ into subsection
6(1) of the Privacy Act.

The
definition will substantially capture the concept formerly included
in section 10 of the Privacy Act relating to record-keepers under
the IPPs. That is, an entity holds personal information if
the entity has possession or control of a record that contains the
personal information.

Item
25
Subsection 6(1)

Item 25
will insert a definition of ‘identifier’ into
subsection 6(1) of the Privacy Act. The concept is used in
APP 9, which is concerned with the adoption, use or disclosure of
government related identifiers by organisations.

The
definition is broader than the definition of
‘identifier’ in NPP 7.3, in that it will apply to a
number, letter or symbol, or combination of any or all of those
things, that is used to identify or to verify the identity of the
individual. As with the definition of
‘identifier’ in NPP 7.3, it will expressly exclude the
individual’s name, or the individual’s ABN (within the
meaning of the A New Tax System (Australian Business Number) Act
1999 ). It will also exclude anything else prescribed by
the regulations to ensure that there is flexibility to exclude any
future identifiers from the definition.

Item
26
Subsection 6(1)

Item 26
inserts a new definition of ‘Immigration Department’ in
section 6 of the Privacy Act to refer to that Department
administered by the Minister administering the Migration Act.
Currently, that is DIAC.

Item 27
will repeal the definition of ‘Information Privacy
Principle’, which will no longer be necessary because the
IPPs will be replaced by the APPs.

Item
28
Subsection 6(1) (definition of ‘IPP
complaint’)

Item 28
will repeal the definition of ‘IPP complaint’, which
will no longer be necessary because the IPPs will be replaced by
the APPs. Complaints about acts and practices occurring after
the commencement of the amendments, will relate only to the
APPs.

Item
29
Subsection 6(1)

Item 29
will insert a definition of ‘misconduct’ into
subsection 6(1) of the Privacy Act.

The new
concept will assist in clarifying the scope of provisions that
allow collection, use or disclosure of personal information for the
purposes of taking action against persons who have engaged in
serious misconduct. It includes fraud, negligence, default,
breach of trust, breach of discipline or any other misconduct in
the course of duty. It is intended that each of these terms
will take their ordinary/common law meaning.

Item
30
Subsection 6(1) (definition of ‘National Privacy
Principle’)

Item 30
will repeal the definition of ‘National Privacy
Principle’, which will no longer be necessary because the
NPPs will be replaced by the APPs.

Item
31
Subsection 6(1)

Item 31
will insert a definition of ‘non-profit organisation’
into subsection 6(1) of the Privacy Act.

The
definition is based on the definition of ‘non-profit
organisation’ in NPP 10.5, which states that
‘ non-profit organisation means a non-profit
organisation that has only racial, ethnic, political, religious,
philosophical, professional, trade or trade union
aims’. The amendment will update the definition so that
the terms ‘racial, ethnic’ are included within
‘cultural’, as well as including
‘recreational’ purposes.

Item
32
Subsection 6(1) (definition of ‘NPP
complaint’)

Item 32
will repeal the definition of ‘NPP complaint’, which is
no longer necessary because the NPPs will be replaced by the
APPs.

Item
33
Subsection 6(1)

Item 33
will insert a definition of ‘overseas recipient’ into
subsection 6(1) of the Privacy Act.

The
definition will refer to APP 8, which will deal with cross-border
disclosure of personal information. In APP 8.1, an
‘overseas recipient’ is a reference to a person who is
not in Australia or an external Territory and is not the entity
holding the personal information or the individual who the personal
information is about.

Item
34
Subsection 6(1)

Item 34
will insert a definition of ‘permitted general
situation’ into subsection 6(1) of the
Privacy Act. The definition refers to the new section
16A (see Item 82) which outlines situations where the collection,
use or disclosure by an APP entity of personal information about an
individual, or of a government related identifier, will not be a
breach of the APPs.

Item
35
Subsection 6(1)

Item 35
will insert a definition of ‘permitted health
situation’ into subsection 6(1) of the Privacy Act.
The definition refers to the new section 16B (see Item 82)
which outlines situations where the collection, use or disclosure
of certain health information or genetic information, will not be a
breach of the APPs.

Item
36
Subsection 6(1) (definition of ‘personal
information’)

Item 36
will update the definition of ‘personal information’ in
subsection 6(1) of the Privacy Act.

The new
definition will reflect the Government’s acceptance of the
ALRC’s recommendation that, ‘ personal information’ should be defined as
‘information or an opinion, whether true or not, and whether
recorded in a material form or not, about an identified or
reasonably identifiable individual’ (ALRC Recommendation
6-1).

The definition in the Privacy Act refers to, ‘information or
an opinion (including information or an opinion forming part of a
database)’. The reference to databases, which may have
provided clarification in 1988 when the Privacy Act was passed, is
no longer necessary and will not appear in the new
definition. It is intended that information forming part of a
database will be included in the new definition, even though
databases are no longer specifically included in the
definition.

The Privacy Act refers to ‘an individual whose identity is
apparent, or can reasonably be ascertained’. The new
definition will use the terms ‘identified’ and
‘reasonably identifiable’. The new definition has
been cast in terms of identification of individuals because this
language is more consistent with the APEC Privacy Framework and
other international instruments, which means that international
jurisprudence and explanatory material will be more directly
relevant to the Privacy Act.

The new definition will refer to an individual who is,
‘reasonably identifiable’. Whether an individual
can be identified or is reasonably identifiable depends on context
and circumstances. While it may be technically possible for
an agency or organisation to identify individuals from information
it holds, for example, by linking the information with other
information held by it, or another entity, it may be that it is not
practically possible. For example, logistics or legislation
may prevent such linkage. In these circumstances, individuals
are not ‘reasonably identifiable’. Whether an
individual is reasonably identifiable from certain information
requires a consideration of the cost, difficulty, practicality and
likelihood that the information will be linked in such a way as to
identify him or her.

In agreeing with ALRC Recommendation 6-2, the Government encouraged
the development and publication of appropriate guidance about the
meaning of ‘identified or reasonably identifiable’ in
the definition of ‘personal information’ by the OAIC,
noting that the decision to provide guidance was a matter for the
OAIC. Guidance issued by the OAIC would play an important
role in assisting organisations, agencies and individuals to
understand the application of the new definition, especially given
the contextual nature of the definition.

Item 37
Subsection 6(1) (definition of ‘record’)

Item 37 will amend the definition of ‘record’ in
subsection 6(1). In order
to allow for technological advances, ‘record’ will be
defined inclusively rather than exhaustively.

Item
38
Subsection 6(1) (paragraphs (b) and (c) of the definition of
‘record’)

Item 38
will amend the definition of ‘record’ in subsection
6(1) to include reference to ‘electronic or other
device’. This picks up the Government’s response
to ALRC Recommendation 6-6, which is that the definition should
encompass a broad range of recorded information, including
information held in electronic format. This change will
ensure that the definition is sufficiently flexible to encompass
how information will be recorded and stored in the
future.

Item 39
Subsection
6(1) (at the end of the definition of
‘record’)

Item 39
will add a note to the definition of ‘record’ in
subsection 6(1). To promote consistent terminology with other
Commonwealth legislation, the note will make it clear that the use
of the term ‘document’ in the definition of
‘record’ is found in section 2B of the Acts
Interpretation Act.

Item
40
Subsection 6(1)

Item 40
will insert a definition of ‘responsible person’ into
subsection 6(1) of the Privacy Act. The definition will
direct the reader to the new section 6AA (see Item 52).

Item 41
will amend the definition of ‘sensitive information’ in
subsection 6(1) to refer to an individual’s sexual
‘orientation’ rather than
‘preferences’. This minor change is not intended
to change the meaning of the definition but will ensure consistency
with other Commonwealth, state and territory
legislation.

Item
42
Subsection 6(1) (at the end of the definition of ‘sensitive
information’)

Item 42
will amend the definition of sensitive information in subsection
6(1) of the Privacy Act by adding references to biometric
information and biometric templates.

The
inclusion of these two paragraphs will implement the
Government’s response to ALRC Recommendation 6-4. The
Government agreed with the ALRC that biometric information had
similar attributes to other sensitive information and it was
therefore desirable to provide it with a higher level of
protection.

Given the
broad nature of what can be considered biometric information, the
definition makes it clear that the additional protections only
extend to that biometric information which is specifically being
collected for the purpose of automated biometric verification or
biometric identification.

Item
43
Subsection 6(1) (definition of
‘solicit’)

Item 43
will repeal the definition of ‘solicit’ in the
Privacy Act. A new definition of ‘solicits’
will be inserted (see Item 44).

Item
44
Subsection 6(1)

Item 44
will insert a new definition of ‘solicits’ into the
Privacy Act.

The new
definition will be based on the present definition but use the term
‘entity’ consistently with the terminology of the
amended Privacy Act.

Item
45
Subsection 6(1) (definition of ‘use’)

Item 45
will repeal the definition of ‘use’ in Subsection 6(1)
of the Privacy Act. The amended Privacy Act will
contain a single principle applying to both use and disclosure,
rendering this definition unnecessary. The concept of
‘use’ may still apply to any distinction between use
and disclosure under the amended Privacy Act.

Item
46
Subsection 6(2)

Item 46
will repeal subsection 6(2) of the Privacy Act.

The
subsection deals with breaches of the IPPs so will not be necessary
in the amended Privacy Act.

Item
47 Paragraph
6(7)(a)

Item 47
will amend paragraph 6(7)(a) of the Privacy Act to refer to an
‘APP’ instead of an ‘IPP’ in the context of
a complaint.

Item
48 Paragraph
6(7)(d)

Item 48
will repeal paragraph 6(7)(d) of the Privacy Act.

The
paragraph refers to a ‘file number complaint and an NPP
complaint’. With the introduction of the APPs, this
paragraph will not be necessary in the amended
Privacy Act. The concept of a complaint being both a
‘file number complaint and an APP complaint’ will be
covered under paragraph 6(7)(a) of the
Privacy Act.

Item
49 Paragraph
6(7)(f)

Item 49
will amend paragraph 6(7)(f) of the Privacy Act to refer to an
‘APP’ instead of an ‘NPP’ in the context of
a complaint.

Item
50
Subsection 6(10)

Item 50
will amend subsection 6(10) of the Privacy Act to refer to new
section 16 instead of section 16E, which is being repealed by Item
82. The new section 16 confirms that the APPs do not apply to
regulate the handling of personal information by an individual
where that information is collected, held, used, disclosed or
transferred for personal, family or household affairs (that is,
done other than in the course of business). This is
consistent with the exemption in subsection 7B(1).

Item 51
Paragraph
6(10)(a)

Item 51
will omit the reference to the Acts Interpretation Act in paragraph
6(10)(a) of the Privacy Act, which refers to de facto
partners.

This
reference will no longer be necessary, because the amended Privacy
Act will contain a definition of ‘de facto partner’
which gives the term the meaning given by the Acts Interpretation
Act (see Item 13).

Item
52
After section 6

Item 52
will amend the Privacy Act by inserting a definition of
‘responsible person’ after section 6. This
definition replaces the definition in NPP 2.5, which contains a
list of persons who are responsible for an individual under NPP
2.4. Some minor revisions have been made for consistency with
terminology in other Commonwealth legislation.

NPP 2.4
provides that a health service may disclose health information
about the individual to a person responsible for the individual in
certain circumstances. NPP 2.4 has been replaced by new
subsection 16B(5) (see Item 82).

Item
53
Section 6A (heading)

Item 53
will amend the heading to section 6A of the Privacy Act by
referring to a breach of an APP instead of a NPP.

Items
54-59 Subsection 6A

Items
54-59 will amend various parts of section 6A of the Privacy Act by
referring to the APPs instead of the NPPs.

Item
60
Subparagraphs 6C(4)(b)(ii) and (iii)

Item 60
will amend subparagraphs 6C(4)(b)(ii) and (iii) of the Privacy Act
to remove the references to the transfer of information.

As a
result of the changes in terminology from the NPPs to the APPs,
reference to the ‘transfer’ of information is
unnecessary. NPP 9 deals with transborder data flows and uses
the term ‘transfer’. However, APP 8, which deals
with cross-border disclosure of personal information, uses the term
‘disclosure’. To ensure that subparagraphs
6C(4)(b)(ii) and (iii) of the Privacy Act accurately reflect
matters regulated by the Privacy Act or under State and Territory
privacy laws, it is necessary to omit reference to
‘transfer’.

Item
61
Subsection 6EA(1)

Item 61
will amend subsection 6EA(1) of the Privacy Act by removing the
provision that section 16D does not apply to a small business
operator if the small business operator chooses to be treated as an
organisation and is registered under section 6EA.

This
provision will be removed because section 16D, which deals with the
delayed application of the NPPs to organisations that carry on one
or more small businesses, will also be repealed.

Item
62 Paragraph
6F(3)(b)

Item 62
will amend paragraph 6F(3)(b) of the Privacy Act by removing the
reference to the transfer of information. This is being done
for the same reason outlined in Item 60. To ensure that
paragraph 6F(3)(b) of the Privacy Act accurately reflect matters
regulated by the Privacy Act, it is necessary to omit reference to
‘transfer’.

Item
63 Paragraph
7(1)(a)

Item 63
will amend paragraph 7(1)(a) of the Privacy Act by removing the
term ‘eligible case manager’ (see Item 15).

Item
64 Paragraph
7(1)(cb)

Item 64
will repeal paragraph 7(1)(cb) of the Privacy Act, which deals with
acts done by an ‘eligible case manager’ (see Item
15).

Item
65
Paragraphs 7(1)(d) and (e)

Item 65
will amend paragraphs 7(1)(d) and (e) of the Privacy Act by
removing the references to an ‘eligible case manager’
(see Item 15).

Item
66
Paragraphs 7(1)(ea) and (eb)

Item 66
will repeal paragraphs 7(1)(ea) and (eb) of the Privacy Act, which
deal with the affairs of an ‘eligible case manager’
(see Item 15).

Item
67
Subsection 7(2)

Item 67
will amend subsection 7(2) of the Privacy Act by referring to the
APPs instead of the IPPs and the NPPs.

Item
68
Subsection 7B(1) (note)

Item 68
will amend the note to subsection 7B(1) of the Privacy Act by
replacing a reference to section 16E of the Privacy Act with a
reference to the new section 16, which also addresses the
application of the APPs to personal, family and household
affairs. Section 16E is being repealed by Item
82.

Item
69
Subsections 7B(1) and (2) (notes)

Item 69
will amend the notes to subsections 7B(1) and (2) by referring to
the APPs instead of the NPPs.

Items 70
and 71 Paragraph 8(2)(b) and subsection 8(2)

Items 70
and 71 will amend paragraph 8(2)(b) and subsection 8(2) of the
Privacy Act by describing an agency as holding a record instead of
being a record-keeper in relation to the record. This
amendment will make the provision more consistent with the
terminology in the Privacy Act with the repeal of the IPPs and the
new inclusion of the new APPs.

Item 24
will insert a definition of ‘holds’ into subsection
6(1) of the Privacy Act. The new definition states that,
‘an entity holds personal information if the entity
has possession or control of a record that contains the personal
information’. Therefore, it is necessary to amend
paragraph 8(2)(b) and subsection 8(2) of the Privacy Act so that
agency that was a record-keeper under the former IPPs in relation
to a record, can simply be described as an agency holding a
record.

Item
72 Section
9

Item 72
will repeal section 9 of the Privacy Act. Section 9 refers to
‘collectors’ of personal information, which is a term
used in the IPPs. It also deemed the act of collection by an
employee of an agency, staff member or special member of the
Australian Federal Police, or for certain unincorporated bodies
assisting or connected with an agency, as collections by those
agencies in certain circumstances.

This
provision is now unnecessary with the repeal of the IPPs.
Under section 8 of the Privacy Act, acts and practices of
employees of these entities, including the collection of personal
information, will still be treated as acts and practices of the
entities themselves.

Item
73 Section
10 (heading)

Item 73
will amend the heading to section 10 of the Privacy Act by
referring to agencies taken to hold a record rather than
record-keepers.

This
amendment will make the heading consistent with Item 24, which will
insert a definition of ‘holds’ into subsection 6(1) of
the Privacy Act. The new definition states that ‘an
entity holds personal information if the entity has
possession or control of a record that contains the personal
information’, so an agency that is a record-keeper in
relation to a record can simply be described as holding the
record. That definition will substantially capture the
concept formerly included in section 10 of the Privacy Act relating
to record-keepers under the IPPs.

These
subsections establish which agencies are record-keepers for the
purposes of the Privacy Act. However, the amended
Privacy Act will no longer use the term ‘record-keeper’
(see Item 73) so the subsections will not be necessary.

Item
75
Subsections 10(4) and (5)

Item 75
will amend subsections 10(4) and (5) of the Privacy Act by
referring to agencies holding records rather than being
‘record-keepers’ in relation to records. As with
the amendments in Items 24 and 73, this amendment reflects the
repeal of the ‘record-keeper’ concept.

Item 76
Section
12

Item 76
will repeal section 12 of the Privacy Act.

Section 12
will no longer be necessary because it provides that the IPPs apply
to agencies in possession of personal information. The APPs,
which will replace the IPPs, will not maintain the distinction
between possession and control which forms the basis of section
12.

Item 77
Subsection
13B(1) (note)

Item 77
will amend the note to subsection 13B(1) of the Privacy Act by
replacing the references to the NPPs with references to the
APPs.

Item 78
Subsection
13B(1) (note)

Item 78
will amend the note to subsection 13B(1) of the Privacy Act by
replacing the reference to NPP 2 with a reference to APP 6, which
will deal with use and disclosure of personal
information.

Item 79
Subsection
13B(1A) (note)

Item 79
will amend the note to subsection 13B(1A) of the Privacy Act by
replacing the reference to the NPPs with a reference to the
APPs.

Item 80
Subsection
13C(1) (note)

Item 80
will amend the note to subsection 13C(1) of the Privacy Act by
replacing the references to the NPPs with references to the
APPs.

Item
81
Subsection 13C(1) (note)

Item 81
will amend the note to subsection 13C(1) of the Privacy Act by
replacing the reference to NPP 2 with a reference to APP 6, which
will deal with use and disclosure of personal
information.

Item
82 Divisions
2 and 3 of Part III

Item 82
will repeal Divisions 2 and 3 of Part III of the Privacy Act.
These Divisions provide for the application of the IPPs, the NPPs
and approved privacy codes. The IPPs and NPPs will be
replaced by the APPs, and so will no longer be necessary. A
new Part IIIB will be inserted into the Privacy Act dealing with
privacy codes.

Item 82
will insert new Divisions 2 and 3 of Part III into the Privacy
Act. The new sections in these Divisions are outlined
below.

Section 14
will direct the reader to the APPs in Schedule 1 of the Privacy
Act, and provide that a reference in any Act to an APP by a number
is a reference to the APP with that number.

Section 15
will provide that APP entities must not do an act, or engage in a
practice that breaches an APP. This requirement replaces the
requirement relating to the IPPs and the NPPs in sections 16 and
16A, which are being repealed.

Section 16
will express the same policy as section 16E of the Privacy Act,
namely that the APPs will not apply to any dealings with personal
information by an individual if the dealing is only for the
purposes of, or in connection with, his or her personal, family or
household affairs.

Section
16A will create the concept of a ‘permitted general
situation’. This will be a description of a situation
that is permitted (ie, not a breach of privacy) in relation to the
collection, use or disclosure of personal information by an APP
entity in certain circumstances listed in a table. To come
within the ‘permitted general situation’ concept, the
table outlines particular entities, the type of information or
identifier, and other specified conditions that need to be
satisfied.

Prevention
of serious threat to life, health or safety

Item 1 of
the table in section 16A will enable an APP entity to collect, use
or disclose personal information or a government related identifier
in a permitted general situation without breaching the
APPs.

The first
condition is that it is unreasonable and impracticable to obtain
the individual’s consent to the collection, use or
disclosure. This implements the Government’s response
to ALRC Recommendation 25-3 to include an additional safeguard to
balance the removal of the ‘imminent’ element (for
example, in IPP 10.1(b)). The ALRC believed that the
‘imminent’ requirement set a disproportionately high
bar to the use and disclosure of personal information.

For the
purposes of this exception, whether it was ‘reasonable’
to seek consent would include whether it is realistic or
appropriate to seek consent. This might include whether it
could be reasonably anticipated that the individual would withhold
consent (such as where the individual has threatened to do
something to create the serious risk). It would also likely
be unreasonable to seek consent if there is an element of urgency
that required quick action. Whether the individual had, or
could be expected to have, capacity to give consent would also be a
factor in determining whether it was ‘reasonable’ to
seek consent.

Seeking
consent would not be ‘practicable’ in a range of
contexts. These could include when the individual’s
location is unknown or they cannot be contacted. If seeking
consent would impose a substantial burden then it may not be
practicable. It may also not be practicable to seek consent
if the use or disclosure relates to the personal information of a
very large number of individuals.

In
assessing whether it is ‘reasonable or practicable’ to
seek consent, agencies and organisations could also take into
account the potential consequences and nature of the serious
threat.

This
approach creates a presumption that agencies and organisations
should consider seeking consent before using or disclosing personal
information in the circumstances set out in the
recommendation.

Secondly,
the act or practice will be permitted where the collection, use or
disclosure of personal information or a government related
identifier is necessary to lessen or prevent a serious threat to
the life, health or safety of any individual or to public health or
safety.

Unlawful
activity

Item 2 of
the table in section 16A will enable an APP entity to collect, use
or disclose personal information or a government related identifier
in a permitted general situation without breaching the
APPs.

This will
be where the APP entity has reason to suspect that unlawful
activity, or misconduct of a serious nature, that relates to an
entity’s functions or activities has been, is being or may be
engaged in; and the entity reasonably believes that the collection,
use or disclosure of personal information or a government
identifier is necessary in order for the entity to take appropriate
action in relation to the matter.

The
provision, by specifying that the unlawful activity or serious
misconduct must relate to an entity’s functions or
activities, intends that the exception will apply to an
entity’s internal investigations. Examples of
‘appropriate action’ in this context may include
collection, use or disclosure of personal information or a
government identifier for an internal investigation in relation to
internal fraud or breach of the Australian Public Service Code of
Conduct.

Missing
persons

Item 3 of
the table in section 16A will enable an APP entity to collect, use
or disclose personal information in a permitted general situation
without breaching the APPs.

This will
be where the entity reasonably believes that the collection, use or
disclosure of personal information is reasonably necessary to
assist any APP entity, body or person to locate a person who has
been reported as missing, and the collection, use or disclosure
complies with rules made by the Information Commissioner under
sub-section (2). This amendment gives effect to the
Government’s response to ALRC Recommendation 25-2, where the
Government decided that entities should be permitted to use or
disclose personal information for the purpose of locating a
reported missing person.

Matters
which the Information Commissioner’s rules should address
include:

· that uses
and disclosures should only be in response to requests from
appropriate bodies with recognised authority for investigating
reported missing persons;

· that,
where reasonable and practicable, the individual’s consent
should be sought before using or disclosing their personal
information;

· where it
is either unreasonable or impracticable to obtain consent from the
individual, any use or disclosure should not go against any known
wishes of the individual;

· disclosure
of personal information should be limited to that which is
necessary to offer ‘proof of life’ or contact
information; and

· agencies
and organisations should take reasonable steps to assess whether
disclosure would pose a serious threat to any
individual.

Consistent
with the requirements of the Legislative Instruments Act
2003 (Legislative Instruments Act), the Information
Commissioner should consult with relevant stakeholders in making
these rules.

Legal or
equitable claim

Item 4 of
the table in section 16A will enable an APP entity to collect, use
or disclose personal information where it is reasonably necessary
for the establishment, exercise or defence of a legal or equitable
claim. This is intended to replicate NPP 10.1(e), which
provides a similar exception.

An example
of where this exception is intended to apply is where an individual
has made a claim under their life insurance policy, and the insurer
is preparing to dispute the claim and it needs to collect health or
other sensitive information about the claimant and about witnesses
in order to prepare its case.

Alternative
dispute resolution

Item 5 of
the table in section 16A will enable an APP entity to collect, use
or disclose personal information where it is reasonably necessary
for the purposes of a confidential alternative dispute resolution
process.

The
confidentiality safeguard included in the provision will limit the
scope of the alternative dispute resolution exception and so ensure
an additional protection for personal information.

Diplomatic
or consular functions

Item 6 of
the table in section 16A will enable an agency to collect, use or
disclose personal information where that agency believes that the
collection, use or disclosure is necessary for its diplomatic or
consular functions or activities.

This is a
new exception and is intended to clarify that such agencies can
collect, use and disclose such information both within and outside
Australia. Government officials from agencies such as the
Department of Foreign Affairs and Trade (DFAT), who are based
overseas, regularly collect and disclose to their home agencies in
Australia personal information as part of their diplomatic and
consular functions. It would be impractical for DFAT and
other agencies to seek the consent of foreign government officials
and other individuals, about whom these agencies report to
Australia, to collect and disclose their personal information to
the Australian Government.

Similarly,
it is necessary for government officials based overseas to report
to DFAT in Australia in discharging its consular responsibilities,
especially in the event of an overseas crisis where overseas
officials are expected to assist Australians .

Defence

Item 7 of
the table in section 16A will enable the Defence Force to collect,
use or disclose personal information where it reasonably believes
that the collection, use or disclosure of that information is
necessary for any of the following occurring outside of Australia
at the external Territories:

This is a
new exception and is intended to clarify the circumstances where
the collection of sensitive information may occur without consent
outside Australia, and where personal information generally may be
disclosed to an overseas recipient. The Defence Force
undertakes a range of activities in other countries that involve
the collection and disclosure of personal information (sometimes in
remote and emergency situations) and it is important that there is
certainty about its ability to undertake these activities without
breaching the APPs.

Subsection
16A(2)

As noted
above, the Information Commissioner may make rules under subsection
16A(2). This amendment gives effect to the Government’s
response to ALRC Recommendation 25-2, where the Government decided
that such rules should binding, and in the form of a legislative
instrument.

Section
16B

As noted
above, the existing health privacy and research provisions in the
Privacy Act have been incorporated in these amendments. This
is implemented through the operation of the APPs, new section 16B
and the provisions dealing with guidelines for medical research,
health and genetic information in sections 95, 95A and
95AA.

Section
16B will create the concept of a ‘permitted health
situation’. This will be a description of a situation
that is permitted (ie not a breach of privacy) in relation to the
collection, use or disclosure of certain health and genetic
information by an organisation. This section is intended to
reproduce the exceptions that applied under NPP 2.1(d), 2.1 (ea),
2.4, and 10.2-10.3. APP 6.4 replaces NPP
10.4.

Subsection
16B(1) replaces NPP 10.2 and will continue to allow an organisation
to collect health information if the information is necessary to
provide a health service to the individual and the collection is
required or authorised by or under an Australian law, or where it
is collected in accordance with certain rules established by
competent health or medical bodies.

Subsection
16B(2) replaces NPP 10.3 and will continue to allow an organisation
to collect health information about an individual for the purpose
of research or the compilation of statistics relevant to public
health or safety or for the management, funding or monitoring of a
health service provided the safeguards included in paragraphs
16B(2)(a), (b), (c) and (d) are satisfied. These safeguards
replicate the existing safeguards in NPP 10.3. APP 6.4
replaces the requirement in NPP 10.4 for an organisation to
de-identify health information collected in accordance with NPP
10.3.

Subsection
16B(3) replaces NPP 2.1(d) and will continue to allow an
organisation to use or disclose health information for a secondary
purpose if:

- the use or
disclosure is necessary for research, or the compilation or
analysis of statistics relevant to public health or public
safety,

- it is
impracticable for the organisation to obtain the individual’s
consent to the use or disclosure;

- the use or
disclosure is conducted in accordance with guidelines issued by the
Information Commissioner under section 95A; and

- in the
case of disclosure - the organisation reasonably believes
that the recipient of the information will not disclose the health
information or personal information derived from the health
information.

Subsection
16B(4) replaces NPP 2.1(ea) and will continue to allow an
organisation to use and disclose genetic information about an
individual to a genetic relative in circumstances where the genetic
information may reveal a serious threat to a genetic
relative’s life, health or safety. Subsection 16B(4)
does not include the reference in NPP 2.1(ea) to ‘whether or
not the threat is imminent’. The words were initially
included in the provision to make it clear that the limitation in
other NPPs that a threat be both serious and imminent did not
apply. This is no longer necessary as the corresponding APPs
refer to serious threats rather than serious and imminent
threats.

Subsection
16B(5) replaces NPP 2.4 and will continue to permit disclosure of
an individual’s health information by an organisation that
provides a health service to a responsible person for an individual
in certain circumstances.

The
definition of responsible person will now be included in section 6
(see Item 52).

Section
16C

Section
16C is a key part of the Privacy Act’s new approach to
dealing with cross-border data flows. In general terms, there
are currently two internationally accepted approaches to dealing
with cross-border data flows: the adequacy approach, adopted by the
European Union in the Data Protection Directive of 1996, and the
accountability approach, adopted by the APEC Privacy Framework in
2004. NPP 9 was expressly based on the adequacy approach of
the EU Directive. Under the new reforms, APP 8 and section
16C will introduce an accountability approach more consistent with
the APEC Privacy Framework.

The
accountability concept in the APEC Privacy Framework is, in turn,
derived from the accountability principle from the OECD Guidelines
Governing the Protection of Privacy and Transborder Flows of
Personal Data of 1980. The OECD Guidelines did not define
accountability, being content with a statement that ‘a data
controller should be accountable for complying with measures which
give effect to the principles’ contained in the
Guidelines.

As part of
the new accountability approach, section 16C will provide that an
APP entity will be taken to have breached the APPs:

- if an APP
entity discloses personal information about an individual to an
overseas recipient,

- APP 8.1
applies to that disclosure,

- the APPs
do not apply under the Privacy Act to acts done, or practices
engaged in, by the overseas recipient in relation to the
information, and

- the
overseas recipient does something that would be a breach of the
APPs if the APPs had applied to those acts or practices.

The
section complements APP 8, which contains key aspects of the
accountability approach in the Privacy Act. Under APP 8.1,
there is a positive requirement on entities to take reasonable
steps to ensure the recipient will protect the information
consistent with the APPs prior to any cross-border transfer
occurring. More information about the operation of APP 8 is
included below.

Item 84
will amend subsections 54(2) and 57(2) of the Privacy Act by
removing the reference to an ‘eligible case manager’
(see Item 15).

Items 85
and 86 Paragraph
80H(2)(e) and subparagraph 80P(1)(c)(v)

Items 85
and 86 will amend paragraph 80H(2)(e) and subparagraph 80P(1)(c)(v)
of the Privacy Act by using the term ‘responsible
person’ or ‘responsible persons’ instead of
‘people who are responsible’. These amendments
are required as a consequence of the inclusion of a definition of
‘responsible person’ which will be inserted into the
Privacy Act by Items 40 and 52 to replace NPP 2.5.

Item
87 Paragraph
80Q(1)(c)

Item 87
will replace a reference to a person responsible for the individual
in paragraph 80Q(1)(c) of the Privacy Act with the term
‘responsible person’ (see Items 85 and 86).

Guidelines
for medical research, health and genetic information

As noted
above, the existing health privacy and research provisions have
been incorporated in these amendments. There are some
consequential amendments to the provisions dealing with guidelines
for medical research, health and genetic information in sections
95, 95A and 95AA to reflect the changes made by replacing the
references to the IPPs or NPPs with references to the APPs or to
new sections, particular APPs or to be consistent with relevant new
sections.

Item
88
Subsection 95(1)

Item 88
will amend subsection 95(1) of the Privacy Act by clarifying that
section 95 applies to agencies and not organisations. This
preserves the existing operation of this
section.

Item
89-99

These
Items make consequential amendments to sections 95, 95A and
95AA.

Item
100 Subsection
95B(1)

Item 100
will amend subsection 95B(1) of the Privacy Act by referring to the
APPs instead of the IPPs.

Item
101 Section
95C

Item 101
will amend section 95C of the Privacy Act by referring to the APPs
instead of the NPPs.

Item
102 Subsections 100(2)
to (4)

Item 102
will repeal subsections 100(2), (3) and (4) of the Privacy Act and
substitute two replacement subsections. These provisions
enable the Governor-General to make regulations that prescribe a
government related identifier, an organisation, a class of
organisations, and circumstances for the purposes of APP 9.3.
These changes are necessary because of the replacement of NPP 7
(identifiers) with APP 9 (adoption, use and disclosure of
government related identifiers).

Consistent
with this change, the provisions will apply to ‘government
related identifiers’ rather than
‘identifiers’. As noted in Item 23,
‘government related identifiers’ are specifically
assigned by one of a range of specifically listed
government-related bodies and used to identify an individual or
verify an individual’s identity.

The
regulation making power in subsection 100(2) will be based on the
existing subsection 100(2) but will be different in two
respects. First, it will be broadened to enable classes of
organisations, as well as individual organisations, to be
prescribed. This approach would still require that the
Government clearly articulate the types of organisations that can
interact with agency identifiers to provide services which are for
the public benefit and for a list of the organisations to be
publicly available, however it would not require continual updates
to regulations to take to take account of new
organisations.

New
subsection 100(2) will also extend to State and Territory
authorities as well as Commonwealth agencies. That will mean
the Minister, amongst other things, will need to be satisfied that
a relevant agency or State or Territory authority (or principal
executive of such an agency or authority) has agreed to the matters
to be prescribed, and has consulted the Information Commissioner
about these matters.

New
subsection 100(2) will also retain the requirement that the
Minister is satisfied that the adoption, use or disclosure of the
identifier by the organisation, or the class of organisations, in
the circumstances can only be for the benefit of the individual to
whom the identifier relates.

Under new
subsection 100(3), the requirements in subsection 100(2) will not
apply to regulations made in relation to certain uses or
disclosures of Commonwealth payroll numbers and in the provision of
superannuation services by an organisation to Commonwealth
employees. That is, in making such regulations there does not
have to be consultation with each individual agency affected.
However, the Minister will still be required to consult with
the Information Commissioner before making such
regulations.

Item
103 Part
X

Item 103
will repeal Part X of the Privacy Act, which contains consequential
amendments.

Item
104 Schedules 1 and
3

Item 104
will repeal Schedules 1 and 3 of the Privacy Act, which
respectively contain consequential amendments and the NPPs.
The new Schedule 1 will contain the APPs.

Schedule
1—Australian Privacy Principles

Schedule 1
contains the 13 APPs, which are contained in five Parts. The
five Parts are:

Part 1
sets out principles that require APP entities to consider the
privacy of personal information, including ensuring that APP
entities manage personal information in an open and transparent
way.

Part 2
sets out principles that deal with the collection of personal
information including unsolicited personal information.

Part 3
sets out principles about how APP entities deal with personal
information and government related identifiers. The Part includes
principles about the use and disclosure of personal information and
those identifiers.

Part 4
sets out principles about the integrity of personal information.
The Part includes principles about the quality and security of
personal information.

Part 5
sets out principles that deal with requests for access to, and the
correction of, personal information.

Part
1—Consideration of personal information
privacy

Australian
Privacy Principle 1—open and transparent management of
personal information

APP 1
requires APP entities to manage personal information in an open and
transparent way. This inclusion of APP 1 will keep the
Privacy Act up-to-date with international trends that promote a
‘privacy by design’ approach, that is, ensuring that
privacy and data protection compliance is included in the design of
information systems from their inception.

APP 1
requires an APP entity to consider how it will handle personal
information in compliance with the APPs or a registered APP
code. Under APP 1.2 an APP entity must take such steps as are
reasonable in the circumstances to implement practices, procedures
and systems relating to the entity’s functions and activities
that will ensure compliance with the APPs or a registered APP code
that binds the entity. These practices, procedures and
systems must also enable the entity to deal with inquiries or
complaints from individuals.

The
expression ‘such steps as are reasonable in the
circumstances’ is intended to be interpreted as being similar
in meaning to the term ‘reasonable steps’ used in the
NPPs. Specifically, the term requires an objective assessment, and
the addition of the words ‘in the circumstances’ is
only intended to highlight that when considering what are
objectively reasonable steps, the specific circumstances of each
case must be considered.

Policies
and practices under APP 1.2 could include:

· training
staff and communicating to staff information about the agency or
organisation’s policies and practices;

· establishing
procedures to receive and respond to complaints and
inquiries;

· developing
information to explain the agency or organisation’s policies
and procedures; and

APP 1.3
will require entities to have a clearly expressed and up-to-date
privacy policy about the management of personal information by the
entity. An ‘up-to-date’ privacy policy should be
a privacy policy that is a ‘living document’ and is
reviewed regularly.

Under APP
1.4, these policies must contain certain information relating to
the kinds of personal information collected and held; how such
information is collected and held; the purposes for which the
entity collects, holds, uses and discloses personal information;
access and correction procedures; complaint-handling procedures;
and information about any cross-border disclosure of personal
information that might occur.

Where
agencies or organisations have particularly significant information
handling practices, these should be included in their privacy
policies by clearly setting out how they collect, hold, use and
disclose personal information. For example, where agencies or
organisations have specific information retention or destruction
obligations, these should be described as a necessary part of how
they handle personal information.

Under APP
1.5, APP entities must take such steps as are reasonable in the
circumstances to make their privacy policies available to the
public free of charge, and in such form as is appropriate. As
noted at the foot of APP 1.5, an APP entity will usually make its
privacy policies available on its website. The inclusion of
this note implements recommendation 6 of the Senate Committee,
which considered that the requirement for an entity to make its
privacy policy available in ‘such form as is
appropriate’ should be further clarified.

Under APP
1.6, if a person or body requests a copy of the APP privacy policy
of an APP entity in a particular form, the entity must take such
steps as are reasonable in the circumstances to give the person or
body a copy in that form. The inclusion of a
‘body’ picks up a suggestion of the Senate Committee,
which considered that the intent of the provision should be
clarified so that entities other than individuals (for example,
media organisations) should be able to request a copy of the
policy.

Australian
Privacy Principle 2—anonymity and pseudonymity

APP 2
provides that individuals must have the option of dealing with an
agency or organisation anonymously or through use of a pseudonym in
relation to a particular matter. The principle emphasises
that it is often not necessary for an entity to identify the
individuals with whom they are dealing. The privacy of
individuals will be enhanced if their personal information is not
collected unnecessarily.

An APP
entity will not be required to comply with APP 2 where that entity
is required or authorised by or under an Australian law, or a
court/tribunal order, to deal with individuals who have identified
themselves. This is likely to be applicable in certain
instances for agencies. For example, if individuals are
required under an Australian law to identify themselves to an
agency, then it will not be lawful or practical for the agency to
deal with them anonymously or pseudonymously.

An APP
entity will also not be required to comply with APP 2 where it is
impracticable for the APP entity to deal with individuals who have
not identified themselves (ie where individual seeks to remain
anonymous or uses a pseudonym). For example, if a service
delivery agency cannot deal with an individual without
identification (for example, in collecting personal information for
an application for a benefit), that agency would not be required to
allow that individual to have the option of anonymity when dealing
with them on that particular matter. A similar instance would
be where a law enforcement agency is investigating a criminal
offence and requires a person’s identity to assist in that
investigation. There may also be circumstances where the
nature of a business and the service provided by an organisation is
not compatible with providing the option to interact
anonymously.

APP 3
outlines the rules applying to the collection of personal
information and sensitive information.

In terms
of personal information other than sensitive information, there
will be separate conditions for the collection of solicited
personal information by agencies and organisations. This
addresses concerns raised by the Senate Committee about whether
organisations should be able to collect personal information in the
same manner as agencies (ie where collection is ‘directly
related to’ one or more of the entity’s functions and
activities). The Senate Committee believed that this approach
may lower privacy protections and did not support
it.

In
relation to the requirement that an entity must not collect
personal information unless it is reasonably necessary for the
entity’s functions or activities, this is intended to operate
objectively and practically in the following
manner.

First, the
information collected is reasonably necessary to pursue that
function or activity. Whether the collection is reasonably
necessary is to be assessed from the perspective of a reasonable
person (not merely from the perspective of the collecting
entity). An entity’s functions or activities are only
those functions or activities that are legitimate for that type of
entity. by
legislation .

If an
agency or organisation cannot, in practice, effectively pursue a
legitimate function or activity without collecting personal
information, then the collection of that personal information would
be regarded as necessary for that legitimate function or
activity. Where a reasonable person would not regard the
function or activity in question as legitimate for that type of
entity, the collection of personal information will not be
‘reasonably necessary’ even if the entity cannot
effectively pursue that function or activity without collecting the
personal information. An agency or organisation should not
collect personal information on the off-chance that it may
become necessary for one of its functions or activities in the
future, or that it may be merely helpful.

The
interpretation of the ‘reasonably necessary’ test
applies throughout the APPs and not just in relation to APP
3.

Under APP
3.1, an agency must not collect personal information unless the
information is reasonably necessary for, or directly related to,
one or more of the entity’s functions or
activities.

The
‘directly related to’ test ensures that there must be a clear connection between
the collection of personal information and the agency's functions
or activities. The ‘directly related to’ test was
contained in IPP 1, which applied to agencies. The test will
be retained in APP 3 because there may be agencies that need to
collect solicited personal information in order to carry out
legitimate and defined functions or activities, but may not be able
to meet the ‘reasonably necessary’ test. While
the ‘directly related to’ test may, depending on the
circumstances, be a slightly lower threshold, agencies are subject
to a wider range of accountability mechanisms (for example, through
the Ombudsman, Ministers and the Parliament) in relation to
information that they handle.

Under APP 3.2, an organisation must not collect personal
information unless the information is reasonably necessary for one
or more of the organisation’s functions or activities.
As noted above, the inclusion of the ‘reasonably
necessary’ test for organisations, implements
the views of the Senate Committee.

APP 3.3 will provide for the collection of ‘sensitive
information’, which is a subset of personal
information. The definition of sensitive information is in
subsection 6(1) of the Privacy Act. As noted above, that
definition now applies to agencies, and includes
biometric information and biometric templates. The general rule is that sensitive information
can only be collected by agencies or organisations where the
collection meets the criteria outlined in APP 3.1 and APP 3.2 and
where the individual has consented to the
collection.

However, APP 3.4 will provide for exceptions to this general
rule. These have been included to enable the collection of
sensitive information without consent where it is in the public
interest to do so when balanced with the interest in protecting an
individual’s privacy. These exceptions are outlined in
detail below.

APP 3.4(a)
Where required or authorised by or under Australian law or a
court/tribunal order

This
exception is intended to allow an APP entity to collect sensitive
information without consent where it is required or authorised by
or under Australian law or a court/tribunal order. An example
of this involving sensitive information would be section 261AA of
the Migration Act, which provides that a non-citizen migration
detention must (other than in the prescribed circumstances) provide
to an authorised officer one or more personal
identifiers.

APP
3.4(b) Permitted general situations

See
discussion about this exception at Item 82, section
16A.

APP
3.4(c) Permitted health situation

See
discussion about this exception at Item 82, section 16B.

APP
3.4(d) Enforcement bodies

This
exception is intended to allow an enforcement body (other than the
Immigration Department), to collect sensitive information without
consent where it reasonably believes that the collection is
reasonably necessary for, or directly related to, one or more of
the entity’s functions or activities. The definition of
‘enforcement body’ is in subsection 6(1) of the Privacy
Act.

Where the
enforcement body is the Immigration Department, it will be able to
collect sensitive information without consent where it reasonably
believes that the collection is reasonably necessary for, or
directly related to, one or more ‘enforcement related
activities’ conducted by that Department.

The first
part of this exception is necessary to enable agencies with law
enforcement functions and activities to be able to collect
sensitive information without consent to perform their lawful and
legitimate functions and activities. There is a strong public
interest in enabling law enforcement agencies to enforce the
criminal law. A major part of this important function is the
ability to collect information about individuals. An
additional safeguard is that these agencies are also subject to
significant accountability and oversight arrangements over their
activities.

The second
part of this exception is necessary to enable the Immigration
Department to collect sensitive information without consent to
perform their lawful and legitimate enforcement related
activities. This Department has a wide range of enforcement
related activities such as detecting, preventing, investigating and
prosecuting breaches of visa, immigration and citizenship law;
preventing and reducing irregular migration, people smuggling and
trafficking in persons; collecting information to assess the
criminal history of applicants for Australian citizenship; and
cooperation with other agencies, including information-sharing, for
law enforcement and border security purposes, and the protection of
the public revenue.

However,
the Immigration Department has a wider range of non-enforcement
functions and activities than other enforcement bodies, and there
is less justification for allowing those to come within the scope
of this exception. Accordingly, the exception has been
limited to where the Immigration Department reasonably believes
that the collection is reasonably necessary for, or directly
related to, one or more ‘enforcement related
activities’ conducted by that Department.

APP
3.4(e) Non-profit organisations

This
exception is similar to NPP 10.1(d) and enables a non-profit
organisation to collect sensitive information without consent if it
relates to the activities of the organisation, and the information
relates solely to the members of the organisation, or to
individuals who have regular contact with the organisation in
connection with its activities.

Means of
collection

APP 3.5
provides that an APP entity must collect personal information only
by lawful and fair means. This is based on NPP 1.2. It
is an important safeguard to ensure that personal information can
only be collected by lawful and fair means. The OAIC has
interpreted ‘fair’ to mean without intimidation or
deception. The concept of fair would also extend to the
obligation not to use means that are unreasonably
intrusive.

APP 3.6
provides that an APP entity must collect personal information about
an individual only from the individual. However, there are
two exceptions to this general rule.

First, an
agency may collect from a third party where the individual has
consented to that collection; or where it is authorised or required
under Australian law, or a court/tribunal order. In the
context of dealings with government agencies, the ability for an
individual to consent would minimise the need for that individual
to provide the same personal information to different
agencies. This will assist in giving effect to the
Government’s ‘tell us once’ service delivery
reform policy.

Secondly,
an APP entity may collect from a third party where it is
unreasonable or impractical to collect that personal information
directly from the individual. This is a particularly
important exception for agencies. For example, a law
enforcement agency may be investigating an individual for a
criminal offence, but could prejudice that investigation by being
forced to seek particular information directly from the
individual. This exception will allow that long-standing type
of activity to continue without breaching APP 3.

Solicited
personal information

APP 3.7
provides that APP 3 applies to the collection of personal
information that is solicited by an APP entity. As noted
above, the concept of soliciting personal information refers to the
situation where an entity requests another entity (which includes
an individual) to provide the personal information, or to provide a
kind of information in which that personal information is
included. If an entity has not requested the personal
information, but only received it from another entity (including
where, for example, a law enforcement agency has asked another
agency to examine the personal information), that will not be a
solicited collection covered by APP 3. However, as noted
below, where personal information is unsolicited, it will still be
required to be handled in accordance with other relevant APPs, if
it is not destroyed or de-identified.

APP 4 will
ensure that personal information that is received by an entity is
still afforded privacy protections, even where the entity has done
nothing to solicit the information.

Under APP
4.1, where unsolicited personal information is received by an APP
entity, the entity must, within a reasonable period, determine
whether it could have collected the information under APP 3 as if
it had solicited the information. If it could have been
collected, APPs 5 to 13 will apply to that information as if it had
been solicited.

To enable
the APP entity to determine whether it could have collected the
information, APP 4.2 allows that entity to use or disclose the
personal information for that limited purpose.

APP 4.3
provides that, if the APP entity could not have collected the
information, and if the information is not contained in a
Commonwealth record, the entity must take steps to destroy the
information or ensure that it is no longer personal information
(for example, by taking steps to remove any reference to the
individual to whom the information relates). Information will
no longer be personal information when it does not satisfy the
definition of ‘personal information’ in section 6 of
the Privacy Act. The compliance burden entailed by APP 4 will
be eased by the provision that the entity must destroy the personal
information ‘as soon as practicable’.

The
reference in APP 4.3 to information ‘contained in a
Commonwealth record’ ensures that the requirements on
agencies to retain such information under the Archives Act will
override the APP 4 destruction or de-identification
requirements.

APP 4.3
contains the important qualifier ‘only if it is lawful and
reasonable to do so’. An example of where this would be
applicable is where an APP entity has received unsolicited personal
information from a law enforcement agency to assist that agency in
its investigations. If the APP entity decides that it could
not have collected the information, it would normally have to
destroy it in accordance with APP 4.3. However, it would not
be ‘lawful and reasonable’ to destroy such information
until the assistance that the entity has given to the law
enforcement agency has ended.

Under APP
4.4, if the APP entity cannot destroy or de-identify the
information under APP 4.3 (because the information is contained in
a Commonwealth record or because it would not be lawful and
reasonable to do so), it must still handle the personal information
in accordance with APPs 5 to 13. This will ensure that the
information will be accorded the same privacy protections as any
other personal information being held by the
entity.

It is not
the intention of APP 4 to prevent the practice
of agencies forwarding incorrectly addressed
correspondence .
As noted in responses to the Senate Committee, the receipt of
correspondence by Ministers, Members of Parliament and government
departments and agencies would, in normal circumstances, be
unsolicited. Under APP 4, these entities must, within a
reasonable period after receiving the information, determine
whether the unsolicited personal information could have been
collected under APP 3 if the entity had solicited the
information. It is clear that, in some circumstances, where
considering and responding to concerns of members of the public,
and referring them to appropriate recipients, are legitimate
functions of the entity, the unsolicited information could have
been collected under APP 3. Once an entity has determined
that the personal information could have been collected under APP
3, it would be possible for the entity to use or disclose the
information under APP 6.

Under APP
6, disclosure to another Minister or government department would be
permitted where the individual has consented to the use and
disclosure. Consent may be implied if it may reasonably be inferred
in the circumstances from the conduct of the individual.
Disclosure would also be permitted under APP 6 where the disclosure
is related to the primary purpose of collection (or directly
related, if the information is sensitive information), and the
disclosure is within the individual’s reasonable
expectations. As the individual has written with queries,
views or representations on particular issues, it is within their
reasonable expectation that their correspondence will be referred
to the appropriate entity within parliament or
government.

Australian
Privacy Principle 5—notification of the collection of
personal information

APP 5 sets
out the obligation for an entity to ensure that an individual is
aware of certain matters when it collects that individual’s
personal information. Generally, the individual must be made
aware of how and why personal information is, or will be, collected
and how the entity will deal with that personal
information.

APP 5.1
creates the general requirement for an APP entity to provide
notification. That must occur at or before the time or, if
that is not practicable, as soon as practicable after the APP
entity collects personal information about an individual. At
that time (whichever is relevant), the APP entity must take such
steps (if any) as are reasonable in the circumstances to notify the
individual of such matters referred to in APP 5.2 as are reasonable
in the circumstances or otherwise ensure that the individual is
aware of any such matters.

The phrase
‘reasonable in the circumstances’ is an objective test
that ensures that the specific circumstances of each case have to
be considered when determining the reasonableness of the steps in
question. This flexibility is necessary given the different
types of APP entities and functions/activities that are to be
regulated under the APPs. In many cases, it would be
reasonable in the circumstances for an APP entity to provide the
information outlined in APP 5.2.

However,
for agencies with particular functions and activities, this may not
be the case. For example, it would not be reasonable in the
circumstances for a law enforcement agency to notify an individual,
who is under investigation for a criminal offence, particularly
where that agency is undertaking covert surveillance, that
information is being collected about them.

APP 5.2
lists specific matters of which the individual must be
notified. This is based on IPP 2 and NPP 1.3 and,
coupled with APP 1, is intended to give the individual detailed and
enhanced information about how their personal information is to be
handled by an APP entity. This information includes contact
details of the APP entity; whether information has been collected
from a third party or under an Australian law or court/tribunal
order (and details about that collection); the purpose of the
collection; complaint-handling and access/correction information in
the APP entity’s privacy policy; disclosure information,
including to overseas recipients, and the consequences of not
collecting the information.

Part
3—Dealing with personal information

Australian
Privacy Principle 6—use or disclosure of personal
information

APP 6 sets
out the circumstances in which entities may use or disclose
personal information that has been collected or received.
This APP is based on IPPs 10 and 11, and NPPs 2 and 10. As
with those principles, it is implicit from the principle that
entities may use or disclose personal information for the primary
purpose for which the information was collected. This is
outlined in general in APP 6.1, which creates the general
prohibition on secondary disclosure.

The
provision allows for a situation where there is a general primary
purpose (for example, assessing a person’s suitability to
enter Australia). How broadly the primary purpose can be
described will need to be determined on a case-by-case basis and it
will depend on the circumstances.

The
Government anticipates that the OAIC will develop specific guidance
about the meaning of ‘primary purpose’ in consultation
with agencies and organisations.

Generally,
personal information must only be used or disclosed for purposes
other than the primary purpose, that is, for a secondary purpose,
if the relevant individual has consented, or exceptions in APP 6.2
and 6.3 apply. These exceptions list a number of specific
circumstances in which allowing secondary disclosure is in the
public interest when balanced with the interest in protecting an
individual’s privacy.

The
exceptions will apply to sensitive information as well as to other
personal information. In the particular case where the
individual would reasonably expect the entity to use or disclose
the information for the secondary purpose:

for
sensitive information , the use or disclosure must be
directly related to the primary purpose;

for
personal information which is not sensitive information, the use or
disclosure must be related to the primary purpose.

As with
APP 3, there are a number of exceptions enabling the use or
disclosure of personal and sensitive information where
‘required or authorised by or under Australian law or a
court/tribunal order’; in permitted general situations
(section 16A); in permitted health situations (section 16B); and
where an ‘APP entity reasonably believes that the use of
disclosure of the information is reasonably necessary for one or
more enforcement related activities conducted by, or on behalf of,
an enforcement body’. The final exception is
aimed at enabling any APP entity to cooperate with an enforcement
body where it may have personal information relevant to an
enforcement related activity of that enforcement
body.

APP 6.3
will provide that an agency will be allowed to disclose biometric
information or templates if the recipient is an enforcement body
and the disclosure is conducted in accordance with the guidelines
made by the Commissioner. This approach recognises that
non-law enforcement agencies have current, and will have future,
legitimate reasons to disclose biometric information and templates
to enforcement bodies. A practical example of the effect of
this option would be to enable, consistent with the
Commissioner’s guidelines, the automatic provision of
biometric information and templates by a non-enforcement agency
into a database operated by an enforcement body. This is
currently a gap in the enforcement related activity exception in
the Privacy Act that prevents this increasing activity from
occurring. The privacy safeguard for this new proposal is
that the activity in question would be subject to ongoing oversight
by the Information Commissioner through guidelines; this recognises
that there are likely to be continuing developments in the use of
biometric information and templates, and ongoing questions about
the appropriate use of this evolving technology.

APP 6.4
provides that, if an APP entity collects health information about
an individual for certain research purposes under subsection
16B(2), that entity must take such steps as are reasonable in the
circumstances to de-identify that information before it uses or
discloses the information under APP 6.1 or 6.2. This
reproduces the requirement in NPP 10.4.

APP 6.5
will provide that if an entity uses or discloses personal
information because it is reasonably necessary for an enforcement
related activity, the entity must make a written note of the use or
disclosure. The requirement is based on NPP 2.2 and aims to
ensure accountability for such disclosures, but will not be
extended to other exceptions to the rule against use or disclosure
for a secondary purpose because of the compliance burden it would
impose on entities.

APP 6.6
will provide that if a corporation collects personal information
and passes it on to a related corporation, the related corporation
will be taken to have collected the personal information for the
same primary purpose as the first corporation. This will
ensure that, unless one of the exceptions listed in APP 6 applies,
the related corporation will have to obtain the individual’s
consent before using or disclosing his or her personal information
for a secondary purpose.

APP 6.7
provides that APP 6 will not apply to the use or disclosure of
personal information for the purposes of direct marketing or to
government related identifiers because these matters are dealt with
elsewhere in the APPs.

Australian
Privacy Principle 7—direct marketing

Direct
marketing involves communicating directly with a consumer to
promote the sale of goods and services to the consumer. The
direct marketing communication could be delivered by a range of
methods including mail, telephone, email or SMS. Direct
marketers compile lists of consumers and their contact details from
a wide variety of sources, including public records, the white
pages, the electoral roll, registers of births, deaths and
marriages and land title registers. They also include
membership lists of business, professional and trade organisations,
survey returns and mail order purchases.

Direct
marketing is addressed separately within a discrete principle
rather than as a kind of secondary purpose (see APP 6) because of
the significant community interest about the use and disclosure of
personal information for the purposes of direct
marketing.

APP 7 will
prohibit direct marketing by organisations.

Agencies
will generally be exempt from the prohibition as it would impact on
their ability to communicate legitimate and important information
to individuals. However, a note to APP 7.1 draws
attention to section 7A of the Privacy Act, which provides that an
act or practice of an agency may be treated as an act or practice
of an organisation if the agency engages in commercial
activities. This means that the prohibition against direct
marketing will also apply to agencies engaging in commercial
activities.

APP 7
contains a distinction between individuals, such as existing or
previous customers, who have been in contact with an organisation,
and those who have not. However, the principle will not use
terms such as ‘customer’ or
‘non-customer’. Instead, it will capture the
distinction by referring to individuals from whom an organisation
has collected information and individuals from whom it has
not. The intention is to apply more stringent obligations
when using personal information of non-existing customers as the
individual is less likely to expect their information to be used or
disclosed for direct marketing purposes.

APPs 7.2
to 7.5 list exceptions to the rule against direct marketing.
Under APP 7.2, an organisation may use or disclose personal
information (other than sensitive information) for direct marketing
if: the organisation collected the information from the individual;
the individual would reasonably expect the organisation to use the
information for direct marketing; the organisation has provided a
simple means by which the individual can request not to receive
direct marketing; and the individual has not availed him or herself
of this means.

This
exception will reflect the policy of requiring organisations to
allow consumers to opt out of direct marketing. An opt-out
rather than opt-in requirement is appropriate where the individual
has provided the information to the organisation.

In the
circumstances where the organisation has not obtained personal
information from the individual, then opt-out still applies but
there are additional requirements with respect to ensuring the
individual is informed of their rights and how to exercise these
rights.

Under APP
7.3, in cases where the individual would not reasonably
expect his or her personal information to be used for direct
marketing or the information has been collected from a third party
(so that, again, the individual would not reasonably expect to
receive direct marketing from the organisation), the exception to
the rule against direct marketing will be narrower.
Under this provision, an organisation may use or disclose that
information for direct marketing only if: the individual has
consented (or it is impracticable to obtain consent); the
organisation has provided the means to opt out and the individual
has not opted out; and in each direct marketing communication the
organisation must tell the individual that he or she may request to
no longer receive direct marketing and no request is
made.

Under APP
7.4, where an individual has provided sensitive information
to an organisation, it will be necessary for the organisation to
obtain the individual’s consent before using that information
for direct marketing purposes. There will be no provision
that consent need not be obtained if doing so is impossible or
impracticable, and it will not matter whether or not the individual
and organisation have a pre-existing relationship.

Under APP
7.5, a contracted service provider for a Commonwealth contract may
use or disclose personal information for the purposes of direct
marketing if doing so meets an obligation under the contract.
This provision will extend the general exemption of agencies from
the rule against direct marketing to parties working for or on
behalf of an agency.

APP 7.6
will provide that individuals may ask organisations who hold their
personal information to stop sending direct marketing or to not
disclose their personal information to other organisations for the
purposes of direct marketing. They may also ask organisations
to disclose their source of the information. Organisations
must comply with such requests free of charge within a reasonable
period. They need not comply with requests to disclose the
source of information if it is impracticable or unreasonable to do
so. The ‘reasonable period’ provisions will ease
the compliance burden on organisations.

APP 7.6
applies to organisations that either use or disclose personal
information for the purposes of direct marketing, or for the
purpose of facilitating direct marketing by other
organisations.

APP 7.6(b)
will capture organisations that collect personal information for
the purpose of providing that information to another organisation
to facilitate direct marketing by that other organisation.
For example, this will include a situation where a company has
personal information that it provides to a retailer, and the
retailer then uses that personal information for the purpose of
directly marketing its products.

However,
it is not intended that APP 7.6(b) will apply to organisations such
as mailing houses that are utilised by a first organisation to
simply send out direct marketing material for those
companies. If those types of service providers are APP
entities, their handling of personal information would be subject
to the APPs. This is distinct from the situation where an
entity carries out direct marketing on behalf of the first
organisation, by for example, actually conducting the door to door
direct marketing on behalf of the first
organisation.

APP 7.8
will provide that instruments such as the Spam Act 2003 ,
which contain specific provisions regarding direct marketing, will
displace the more general provisions under the principle.
Thus APP 7 will be displaced where another Act specifically
provides for a particular type of direct marketing or direct
marketing by a particular technology, but will apply to
organisations involved in direct marketing relating to electronic
messages and other acts and practices not covered by such
instruments.

APP 8 sets
out a requirement for an APP entity that chooses to disclose
personal information to overseas recipients to take such steps as
are reasonable in the circumstances to ensure that the overseas
recipient does not breach the APPs. Along with section 16C,
this APP implements the new accountability approach to cross-border
disclosure of personal information. This is reinforced in the
note at the foot of APP 8.1, which refers to section 16C (which
will provide that in certain circumstances, an act done, or a
practice engaged in, by an overseas recipient can be taken to be a
breach of the APPs by the entity which disclosed the personal
information to the overseas recipient).

The
principle will aim to permit cross-border disclosure of personal
information and ensure that any personal information disclosed is
still treated in accordance with the Privacy Act. This is a
change from NPP 9, which prohibits cross-border disclosure, subject
to some exceptions. The principle will apply to agencies as
well as organisations, which is also a significant difference from
the existing Act.

Although
APP 8 explicitly adopts the term ‘disclosure’ rather
than ‘transfer’, the APP 8 (and related provisions)
would not apply to the overseas movement of personal information if
that movement is an internal use by the entity, rather than a
disclosure. APP 8 will apply where an organisation sends
personal information to a ‘related body corporate’
located outside Australia.

It is not
intended to apply where personal information is routed through
servers that may be outside Australia. However, entities will
need to take a risk management approach to ensure that personal
information routed overseas is not accessed by third parties.
If the information is accessed by third parties, this will be a
disclosure subject to APP 8 (among other principles).

In terms
of the reach of APP 8, the chain of accountability for APP entities
would not be broken simply because the overseas entity engaged a
subcontractor. For example, the requirements of APP 8 will
still apply where an organisation contracts a function to an
overseas entity (thereby making a cross border disclosure), and
that overseas entity then engaged a subcontractor.

In
practice, the concept of taking ‘such steps as are reasonable
in the circumstances’ will normally require an entity to
enter into a contractual relationship with the overseas
recipient.

The
general requirement to take reasonable steps to ensure compliance
will be qualified by a number of exceptions:

When the
entity has a reasonable belief that the overseas recipient is
subject to legal or binding obligations to protect information in
at least a substantially similar way to the protection provided by
the APPs, the requirement will not apply. For this exception
to apply, there must be accessible mechanisms which allow the
individual to enforce those protection obligations.

The
‘reasonable belief’ test will allow entities to make
decisions based on the information available to them and the
context of a particular disclosure. The term
‘substantially similar’ will not be defined, and
provides flexibility in considering the regulatory elements of the
overseas jurisdiction. The term ‘at least’ will
be used to ensure that stricter obligations than the APPs will
still be compliant.

It is not
essential that the overseas jurisdiction have an office equivalent
to the OAIC in order to provide accessible enforcement
mechanisms. It should be possible for a range of dispute
resolution or complaint handling models to satisfy this
requirement. Effective enforcement mechanisms may be
expressly included in a law or binding scheme or may take effect
through the operation of cross-border enforcement arrangements
between the OAIC and an appropriate regulatory authority in the
foreign jurisdiction.

The
requirement will not apply when an individual consents to the
cross-border disclosure, after the entity informs the individual
that the consequence of giving their consent is that the
requirement in APP 8.1 will not apply.

To reduce
the compliance burden, this exception should not mean that consent
is required before every proposed cross-border disclosure.
Rather, it will apply where an individual has the explicit option
of not consenting to certain disclosures which may include
cross-border disclosures. In addition, an APP entity is
required to give individuals notification about other entities to
which the APP entity usually discloses personal information of the
kind collected by the entity (APP 5.2(f)), and whether the APP
entity is likely to disclose the personal information to overseas
recipients (APP 5.2(i)).

When the
disclosure is required or authorised by or under law, the
requirement will not apply.

When some
(but not all) permitted general situations exist (see Item 82), the
requirement will not apply.

When the
disclosure is required or authorised by or under an international
agreement relating to information sharing, the requirement will not
apply if the entity is an agency and Australia is a party to the
agreement. This is intended to include all forms
information-sharing agreements made between an Australian and an
international counterpart (for example, treaties, exchange of
letters).

When the
entity is an agency, the requirement will not apply if the agency
reasonably believes that the disclosure is reasonably necessary for
enforcement related activities by, or on behalf of, an enforcement
body and the overseas recipient’s functions or powers are
similar to those of an enforcement body. This is intended to
enable an enforcement body to cooperate with international
counterparts for enforcement related activities.

Australian
Privacy Principle 9—adoption, use or disclosure of government
related identifiers

The
amended Act will include a definition of ‘government related
identifier’ (see Item 23). Since government related
identifiers are generally highly reliable for verification and
identification of individuals, their use and disclosure will be
addressed by more specific guidelines than the general ‘use
and disclosure’ principle in APP 6.

APP 9 will
regulate the adoption, use or disclosure of government related
identifiers by organisations.

The
principle will aim to restrict general use of government related
identifiers by the private sector so that government related
identifiers do not become universal identifiers, as well as to
prevent data-matching by organisations facilitated by the use and
disclosure of those identifiers.

The
principle will prohibit an organisation from adopting a government
related identifier to identify an individual unless that adoption
is required or authorised by or under law or allowed under the
regulations. The principle will also prohibit an organisation from
using or

disclosing
a government related identifier unless that use or disclosure falls
within one of a list of specified exceptions. APP 9.2 will provide
for exceptions relating to use or disclosure:

where it
is reasonably necessary to verify the identity of an individual for
an organisation’s activities or functions;

where it
is reasonably necessary to fulfil an organisation’s
obligations to an agency or State or Territory
authority;

where it
is required or authorised by or under an Australian law, or a
court/tribunal order;

where an
organisation reasonably believes is reasonably necessary for
enforcement related activities by, or on behalf of, an enforcement
body; and

where it
is allowed under the regulations.

These
exceptions will recognise that balanced against the aims of the
principle discussed above, there may be circumstances where use or
disclosure of a government related identifier by an organisation
may be necessary for public purposes or present a clear benefit to
the individual. An example is to allow contracted service
providers to use or disclose a government related identifier if
necessary for the performance of a Commonwealth contract. The use
of ‘reasonably necessary’ in a number of the exceptions
will ensure that an objective test is applied.

The
principle will allow for regulations to prescribe classes of
organisations which may fall within the exception to the general
prohibition on adoption, use and disclosure of government related
identifiers. Allowing the regulations to prescribe classes of
organisations is intended to reduce delays which may be caused by
the requirement in the NPPs that individual organisations be
prescribed. It will also reduce the need for continual
updates to regulations, while still requiring clear articulation of
the types of organisations that can interact with government
related identifiers.

Part
4—Integrity of personal information

Australian
Privacy Principle 10—quality of personal
information

APP 10
sets out the obligation for an APP entity to take steps (if any) as
are reasonable in the circumstances to ensure that the personal
information it collects, uses and discloses meets certain quality
requirements.

APP 10 is
intended to ensure that personal information is accurate,
up-to-date and complete. In relation to use and disclosure, the
personal information should also be relevant and of a quality
appropriate to the purposes of that use or disclosure. This
will require entities to assess the relevance of personal
information against the particular reason for its use or disclosure
and only share so much of the personal information it holds as is
relevant to that purpose. The quality assessment of personal
information should occur at the time of collection, at the time of
use and at the time of disclosure.

The
requirements in APP 10.1 and 10.2 to ‘take steps (if any) as
are reasonable in the circumstances’ will raise particular
issues for information that might be out-of-date. For
agencies, out-of-date information may become relevant for future
activities (for example, prosecution of an individual for a
criminal offence). In these circumstances, it may not be
reasonable to update information, if it may, in its preserved form
continue to be relevant into the future for a legitimate function
or activity of the APP entity.

Australian
Privacy Principle 11—security of personal
information

APP 11
sets out an APP entity’s obligations relating to the
protection and destruction of personal information it
holds.

The
principle will require an entity to take such steps as are
reasonable in the circumstances to protect personal information
from misuse, interference and loss, and from unauthorised access,
modification or disclosure. This should involve active
measures by an entity to ensure the security of personal
information.

The
inclusion of ‘interference’ in APP 11 is intended to
recognise that attacks on personal information may not be limited
to misuse or loss, but may also interfere with the information in a
way that does not amount to a modification of the content of the
information (such as attacks on computer systems). This
element may require additional measures to be taken to protect
against computer attacks and other interferences of this nature,
but the requirement is conditional on steps being ‘reasonable
in the circumstances’. Practical measures by entities
to protect against interference of this nature are becoming more
commonplace. The use of the term ‘interference’,
which focuses on the result of the activity rather than the means
used to achieve that result, ensures that the technologically
neutral approach to the APPs is retained.

If an
entity no longer needs personal information for any purpose for
which it may be used or disclosed under the APPs, and if the
information is not contained in a Commonwealth record or legally
required to be retained by the entity, the principle will require
that the entity destroy the information or ensure that it no longer
meets the Privacy Act’s amended definition of ‘personal
information’. This would require the entity to permanently
remove from a record any information by which an individual may be
identified, in order to prevent future re-identification from
available data. Destruction should be proportional to the
form of the record.

The
principle will be flexible, in that the circumstances of each
entity will determine when any personal information it holds is no
longer necessary for any permitted purpose. The principle will in
effect impose an obligation on entities to justify their retention
of personal information.

Part
5—Access to, and correction of, personal
information

Australian
Privacy Principle 12—access to personal
information

APP 12
provides that individuals must be granted access to personal
information held about them by an APP entity upon request by the
individual, subject to specific exceptions.

The
principle will create separate exceptions for access to personal
information held by agencies and organisations. This will reflect
the responsibilities that agencies have under other Commonwealth
legislation in relation to access to information, such as the
Freedom of Information Act 1982 (FOI Act). The
right to access an individual’s personal information held by
an agency was also included in IPP 6. However, the FOI Act
was treated as the principal avenue by which individuals were
encouraged to seek access to the personal information. It is
intended that the FOI Act should continue to be the primary
legislative vehicle by which individuals can seek access to their
personal information where it is contained in documents held by
agencies.

The
ALRC’s recommendations which relate to including an
enforceable right of access to, and correction of, an
individual’s own personal information in the Privacy Act
(rather than maintaining the right through the FOI Act) will be
considered at a later date.

In
relation to organisations, APP 12.3 will create a number of
exceptions which largely replicate NPP 6.1. The principle will
combine the two ‘serious threat’ exceptions to remove
the requirement that a threat be ‘imminent’, creating
consistency with other sections of the Privacy Act (see Item
82).

The other
exceptions relate to where:

· access
would have an unreasonable impact on the privacy of other
individuals;

· the
request is frivolous or vexatious;

· the
information relates to existing or anticipated legal proceedings
between the entity and the individual, and would not be accessible
by the process of discovery in those proceedings;

· giving
access would reveal the intentions of the entity in relation to
negotiations with the individual in such a way as to prejudice
those negotiations. This is intended to operate the same way
as current NPP 6.1(f). An entity would not have to provide
access to an individual’s information if it would show the
organisation’s intentions and would prejudice or interfere in
negative way in the organisation’s negotiations with the
individual (including where the negotiations are yet to commence
but are reasonably anticipated);

· giving
access would be unlawful, or denying access is required or
authorised by or under an Australian law or a court/tribunal
order;

· the entity
has reason to suspect that unlawful activity, or misconduct of a
serious nature, that relates to the entity’s functions or
activities has been, or is being or may be engaged in, and giving
access would be likely to prejudice the taking of appropriate
action in relation to the matter;

· access
would be likely to prejudice one or more enforcement related
activities conducted by, or on behalf of, an enforcement body;
or

· access
would reveal evaluative information generated within the entity in
connection with a commercially sensitive decision-making
process.

If an APP
entity refuses to give an individual access to their personal
information due to one of the exceptions, or in the manner
requested, APP 12.5 will require the entity to take such steps (if
any) as are reasonable in the circumstances to give access in a way
that meets the needs of the individual and the entity. This
will ensure that entities work with individuals to try to satisfy
their request.

Under APP
12.4, there are requirements for responding to the request within a
certain timeframe and giving access to the information in the
manner requested, if reasonable and practicable to do so. For
organisations, they must respond to a request for access to
personal information within a reasonable period after the request
is made. It is intended that a ‘reasonable
period’ under APP 12.4 relating to more complicated requests
will not usually exceed 30 days.

The
principle will provide for the possibility of alternative access
through the use of a mutually agreed intermediary. This will
reflect a strengthening of the obligation under NPP 6.3 to
‘consider’ the use of a mutually agreed
intermediary.

Under APP
12.8, an organisation that charges an individual for providing
access to the individual’s personal information must ensure
that the charges are not excessive and must not apply to the making
of the request. An excessive charge amount would include
recouping costs above the actual amount incurred by the
organisation.

If an APP
entity refuses access to an individual’s personal information
due to one of the exceptions, or in the manner requested, APP 12.9
will also require the entity to give written reasons for the
refusal. Written reasons will not be required, though, to the
extent that it would be unreasonable with regard to the grounds for
the refusal.

APP 12.10
provides that, if an APP entity refuses to give access to the
personal information because of paragraph 12.3(j), the reasons for
the refusal may include an explanation for the commercially
sensitive decision. APP 12.10 will operate in the same manner
as the repealed NPP 6.2 that enabled an organisation to provide an
explanation for a commercially sensitive decision rather than
direct access to the information.

Australian
Privacy Principle 13—correction of personal
information

APP 13
will set out the obligation for an entity to take reasonable steps
to correct the personal information it holds about an individual if
it is satisfied that the information is inaccurate, out-of-date,
incomplete, irrelevant or misleading, with regard to the purpose
for which it is held, or upon request by the individual. This
obligation may include making appropriate deletions or
additions.

The
principle is not intended to create a broad obligation on entities
to maintain the correctness of personal information it holds at all
times. The principle will interact with APP 10, such
that when the quality of personal information is assessed at the
time of use or disclosure, an entity may need to correct the
information before use or disclosure if the entity is satisfied
that the information is inaccurate, out-of-date, incomplete,
irrelevant or misleading.

If
personal information is held for a range of purposes, and it is
considered incorrect with regard to one of those purposes, the
obligation to take reasonable steps to correct the information
should apply.

The
principle will remove the requirement in NPP 6.5 for an individual
to ‘establish’ that personal information is incorrect
before correction is required.

If an
entity corrects the personal information of an individual, APP 13
will require it to take reasonable steps to notify any other entity
to which it had previously disclosed the information, if that
notification is requested by the individual. The compliance
burden will be reduced by the proviso that notification is not
required if it would be impracticable or unlawful.

If an
entity refuses to correct personal information in response to an
individual’s request, the principle will provide a mechanism
for individuals to request that a statement that the information is
inaccurate, out-of-date, incomplete, irrelevant or misleading be
associated with the information. The entity must take
reasonable steps to associate the statement so that it is apparent
to users of the personal information. This will ensure that
individuals retain control of how their personal information is
handled. The statement should address matters relevant to the
information being inaccurate, out-of-date, incomplete, irrelevant
or misleading, and should not be unreasonably lengthy. The
appropriate content and length of any statement will depend on the
circumstances of the case.

Under APP
13.5, there are requirements for responding to requests under APP
13 within a certain time frame. For organisations, they must
respond to such requests within a reasonable period after the
request is made. It is intended that a ‘reasonable
period’ under APP 13.5 relating to more complicated requests
will not usually exceed 30 days.

The
ALRC’s recommendations relating to including an enforceable
right of access to, and correction of, an individual's own personal
information in the Privacy Act (rather than maintaining the right
through the FOI Act) will be considered at a later
date.

Schedule 2 - Credit Reporting

Introduction

Outline of
this schedule

This
schedule amends the provisions that deal with credit reporting in
the Privacy Act. Various definitions are replaced and
additional definitions inserted to deal with new terms, Part IIIA
is replaced with a new Part IIIA. The new provisions provide
clear rules for participants in the credit reporting system by
identifying the flows of personal information in the system and
ensuring that regulation is consistent with the APPs.
However, the credit reporting provisions differ from the APPs by
providing different or more specific regulation in relation to
certain personal information in the credit reporting
system.

Related
amendments to insert new provisions dealing with APP codes and the
CR code (which replaces the previous credit reporting code of
conduct) are dealt with in schedule 3. Amendments to the
powers and functions of the Commissioner in relation to credit
reporting are dealt with in schedule 4. The amendments in
schedule 1 to insert the APPs are also relevant. In general
terms, the order and structure of the credit reporting provisions
reflects the order and structure of the APPs and the understanding
of the personal information life cycle captured by the APPs.
More specifically, where relevant the credit reporting provisions
are directly modelled on the APPs, but modified as necessary to
deal with the particular regulatory requirements of the credit
reporting system. There is also the issue of the relationship
between the regulation of personal information by the APPs and the
regulation of certain kinds of personal information by the credit
reporting system. The credit reporting provisions that deal
with credit reporting bodies completely replace the APPs in
relation to the defined kinds of personal information in the credit
reporting system. Credit providers that are also APP entities
will be subject to both the credit reporting provisions as well as
to some APPs in some circumstances in relation to the kinds of
personal information in the credit reporting system. The
relationship between the credit reporting provisions and the APPs
is fully addressed in the provisions and is discussed further
below.

Objective
of the credit reporting system

The
purpose of the credit reporting system is to balance an
individual’s interests in protecting their personal
information with the need to ensure sufficient personal information
is available to assist a credit provider to determine an
individual’s eligibility for credit following an application
for credit by an individual. The credit reporting system
provides an aid to credit providers in managing the risks of
providing consumer credit to individuals. Only limited and
defined kinds of credit related personal information (described
further below) are permitted in the credit reporting
system.

The credit
reporting system in Australia has been a ‘negative’
reporting system. The main kinds of personal information
permitted in the system were information about a credit provider
having sought a credit report in relation to an applicant for
credit, the amount of credit sought in the application, the
individual’s current credit providers (if any), and
information about any credit defaults (a term that was specifically
defined). The new provisions move to a ‘more
comprehensive’ credit reporting system. This means a
limited number of additional categories of credit related personal
information are permitted in the credit reporting system, as set
out below. The provisions do not establish a
‘positive’ credit reporting system. That is, the
credit reporting system does not provide every piece of credit
related personal information about an individual. Moving to a
more comprehensive credit reporting system balances the privacy
interests of the individual while providing sufficient information
for credit providers to make an assessment of credit risk when
considering an individual’s eligibility for
credit.

The credit
reporting provisions do not regulate the way in which credit
related personal information about an individual is used by credit
providers to assess the risk of providing credit to an
individual. This is a decision for each credit provider to
make in the circumstances of each case in the context of the
commercial practice of the credit provider.

Credit
providers supply certain credit related personal information into
the credit reporting system by disclosing it to credit reporting
bodies. Credit reporting bodies collect and handle the
information supplied by credit providers to create a database of
permitted credit related personal information about an
individual. The credit related personal information in the
credit reporting system may be disclosed to other credit providers
in defined circumstances. The credit reporting provisions
place obligations on all participants in the credit reporting
system. It is not mandatory for credit providers to
participate in the credit reporting system, but if a credit
provider chooses to participate they must comply with the credit
reporting provisions as set out in the legislation and supported by
regulations and the registered CR code. The credit reporting
provisions do not deal with commercial arrangements that may be put
into place between credit reporting bodies and credit
providers. Matters of industry practice can be addressed by
contractual arrangements or additional industry agreements that sit
alongside the CR code. Industry agreements that may impact on
competition in the credit reporting market would need to be
considered by the Australian Competition and Consumer
Commission.

An
Australian credit reporting system

The credit
reporting system is restricted to information about consumer credit
in Australia and access to the credit reporting system is only
available to credit providers in Australia. The credit
reporting system will not contain foreign credit information or
information from foreign credit providers (even if they have
provided credit to an individual who is in Australia), nor will
information from the credit reporting system be available to
foreign credit reporting bodies or foreign credit
providers.

One option
considered to give effect to this policy was a number of general
provisions stating these limitations. However, it was
considered that a simpler, clearer and more effective approach was
to ensure appropriate limitations were in place in relation to each
relevant provision dealing with the collection, use and disclosure
of information by credit reporting bodies and credit providers in
Part IIIA. The key provisions are as follows.
Clause 21D sets out a general prohibition on the disclosure of
credit information by a credit provider to a credit reporting body
(whether or not the body carries on business in Australia or
not). This is followed by a permission to disclose credit
information to a credit reporting body that has an Australian
link. However, the provision specifies that the credit
information that is disclosed must relate to credit that is or has
been provided, or applied for, in Australia. Clause 20F,
which sets out a table listing the permitted CRB disclosures that
can be made, provides that (once the credit reporting body has
collected this credit information) the credit reporting body can
only disclose the credit information to a specified entity that
also has an Australian link. Around these key provisions
there are other provisions that contain appropriate limitations to
ensure that relevant entities have an Australian link.

In this
context, and consistent with the understanding of APP 8 on
cross-border disclosures of personal information, online
applications for credit submitted by an individual physically in
Australia should be regarded as having been collected in Australia
by the credit provider. Where the online application is made
to a foreign entity, the foreign entity will not have an Australian
link and a credit reporting body will not be permitted to disclose
credit reporting information to that foreign entity.

The
concept of an Australian link is used in the APPs and is a term
that is further defined in section 5B of the Act (as amended
by schedule 4). It is understood that in the context of using
this term in the credit reporting provisions, an entity with an
Australian link should already have an appropriate link to
Australia in place prior to any disclosure to that entity.
The act of disclosure should not be what provides the entity with
an Australian link.

Consideration
will be given to the sharing of credit reporting information with
New Zealand, which has a very similar credit reporting system and
close economic ties with Australia. When this occurs, it will
be necessary to develop specific legislative provisions to amend
the credit reporting system set out in Part IIIA to establish the
arrangements by which credit reporting information will be shared
with New Zealand.

Main
reforms to the credit reporting provisions

The credit
reporting provisions have been completely revised, consistent with
the intention to ensure greater logical consistency, simplicity and
clarity throughout the Privacy Act. In addition to revisions
to the credit reporting provisions, the major reforms of the credit
reporting system are:

this
category of information is only available to credit providers who
are subject to responsible lending obligations under the
National Consumer Credit Protection Act 2009 (National
Consumer Credit Protection Act)

however,
there is an exception to this requirement for mortgage insurers to
allow them to obtain the information from those credit providers to
whom they provide mortgage insurance

Reforming
obligations relating to the retention of different categories of
personal information

Introducing
specific rules to deal with pre-screening of credit offers and the
freezing of access to an individual’s personal information in
cases of suspected identity theft or fraud

Providing
additional consumer protections by enhancing obligations and
processes dealing with notification, data quality, access and
correction, and complaints; and

Reforming
the regulation of credit reporting to more accurately reflect the
information flows within the system and the general obligations set
out in the APPs.

The credit
reporting provisions will be supported by regulations and the
registered CR code, which will deal with detailed and practical
matters. In particular, the regulations and registered CR
code will provide details on the information that can be collected
as part of the new sets of information. The registered CR
code will bind all credit reporting bodies. As it is expected
that the registered CR code will deal with certain matters as noted
in the credit reporting provisions, it will also bind credit
providers and other third parties who receive information from
credit providers (such as the ‘affected information
recipients’ dealt with in Division 4 of Part
IIIA).

Participants
in the credit reporting system

The credit
reporting provisions apply to three main categories of
participants: credit reporting bodies (formerly known as credit
reporting agencies); credit providers; and affected information
recipients, who are other third parties who receive the information
from credit providers. The terms credit reporting bodies and
credit providers are defined and have specific meanings. In
general, a credit reporting body is a repository of the prescribed
categories of personal information and does not have a direct
relationship with the individuals to whom the information relates
(however, a range of subsequent obligations, for example in
relation to notification, access and correction, and complaints
handling, will put a credit reporting body into direct contact with
individuals). In general terms, a credit provider has a
direct relationship with an individual through providing, or
considering an application for the provision of, consumer credit
(and, where permitted, commercial credit) to the
individual.

The
provisions dealing with each type of participant are grouped
together, so that:

Credit
reporting bodies are dealt with in division 2

Credit
providers are dealt with in division 3; and

Other
recipients, known as affected information recipients (mortgage and
trade insurers, related body corporate, credit managers, and
advisors), are dealt with in Division 4.

A credit
provider is permitted to disclose certain information to another
credit provider in certain circumstances. It is recognised
that this sharing of information is necessary to support the credit
reporting system and sharing information in these circumstances
does not make the credit provider subject to the obligations of a
credit reporting body.

Categories
of personal information in the credit reporting
system

The credit
reporting system only contains certain narrowly defined categories
of credit related personal information. A number of general
terms are used to refer to these categories of personal
information. It is necessary to use a number of terms that
incorporate and build upon other terms because it is essential to
accurately describe the actual information flows in the credit
reporting system. Generally, credit reporting bodies and
credit providers that receive information out of the system use the
information to determine some sort of credit score or rating of the
credit risk of the individual which they add to the
information. Because credit reporting bodies and credit
providers may use personal information in the credit reporting
system to derive and add new personal information to the system, it
is important to accurately describe this process through the use of
specific and defined terms. The key terms are: credit
information; credit reporting information; credit eligibility
information; and regulated information. These terms are
discussed further, below.

Information
flows into and out of the credit reporting system

There are
two sides to the credit reporting system: the input side, by which
credit providers put information into the system by disclosing the
defined categories of personal information to credit reporting
bodies; and the output side, by which credit reporting bodies
disclose certain personal information to credit providers, where
this is consistent with the permitted disclosures. While in
this context it is useful to talk about information flows to
understand how the credit reporting system operates, all
information flows are in fact comprised of a series of disclosures
and collections of personal information, all of which are regulated
by the credit reporting provisions.

In general
terms, there will be a regular flow (disclosure) of information
into the credit reporting system from credit providers to credit
reporting bodies, as personal information about, for example,
repayment history may be provided on a monthly basis.
However, there is no automatic or continuous flow (disclosure) of
information from credit reporting bodies to credit providers
- information can only be disclosed in prescribed
circumstances. Generally, information only comes out of the
system following requests from credit providers to credit reporting
bodies for disclosure for specified purposes (or where disclosures
are permitted to certain recipients for certain purposes by
operation of the provisions, such as to an affected information
recipient, or where disclosure is permitted by operation of an
exception, such as where a disclosure is required or authorised by
or under an Australian law or court or tribunal order).

Diagram
1 , below,
provides a simplified illustration of the significant information
flows in the credit reporting system. The key features of
diagram 1 are as follows:

The
central circular relationship is between credit reporting bodies
and credit providers.

Credit
providers disclose ‘credit information’ to credit
reporting bodies, which are the repositories of personal
information in the credit reporting system.

in
addition (and not included in the diagram for simplicity) credit
reporting bodies may make a disclosure to another credit reporting
body, a ‘recognised external dispute resolution
scheme’, an ‘enforcement body’, as well as a
disclosure that is required or authorised by or under an Australian
law or court or tribunal order, or by regulations.

Credit
providers can disclose ‘credit eligibility information’
to:

other
credit providers

‘affected
information recipients’

in
addition (and not included in the diagram for simplicity), credit
providers can make a disclosure to a ‘recognised external
dispute resolution scheme’, a ‘guarantor’, a
‘debt collector’, a mortgage credit assistance scheme,
an ‘enforcement body’, as well as a disclosure that is
required or authorised by or under an Australian law or court or
tribunal order, or by regulations.

The use
and disclosure of the types of personal information in diagram 1
are regulated, and are subject to conditions set out in the credit
reporting provisions.

Diagram 1
- information flows in the credit reporting
system

The credit
reporting provisions provide different requirements for the
participants based on whether they are taking part in the input
side or the output side of the credit reporting system. This
means that the rules for credit providers putting credit
information into the credit reporting system are different to the
rules that apply when they obtain credit reporting information from
the credit reporting system. Credit providers have a dual
role - they provide the credit reporting bodies with the
personal information (credit information) necessary for the credit
reporting system to operate, but their role on the output side of
the system is to collect credit reporting information, which is
personal information collected by the credit reporting body from
other credit providers (if any) and any CRB derived information,
which is personal information added by the credit reporting body,
such as a credit score, assessment or other personal information
about an individual that assists in determining an
individual’s credit worthiness.

This
means, for example, that there can’t be a single disclosure
rule for credit providers, both because they have different roles
in the system and because the personal information changes as it
goes through the system. For this reason, there are
provisions relating to the disclosure by credit providers to credit
reporting bodies of credit information into the credit reporting
system (and a related rule for credit reporting bodies dealing with
collection of credit information). However, there are
separate provisions relating to the disclosure by credit reporting
bodies to credit providers, since the personal information
disclosed will be credit reporting information. There are
further provisions relating to any disclosures by credit providers
of credit eligibility information. Credit eligibility
information consists of credit reporting information disclosed to
the credit provider by a credit reporting body, and CP derived
information, which is any personal information added by the credit
provider that assists in determining an individual’s credit
worthiness. There is not one single category of personal
information that can be regulated by a single rule that will apply
in every case.

There are
further rules dealing with other permitted disclosures by credit
reporting bodies and credit providers. These disclosures are
for specific purposes. Most recipients will be subject to
further provisions in relation to their use of the personal
information they have collected, as well as any further disclosure
of the personal information. For example, ‘authorised
information recipients’ are subject to the requirements set
out in Division 4 in relation to ‘regulated
information’. Further disclosure by these authorised
information recipients is prohibited. The credit reporting
provisions do not specifically deal with personal information that
is held or maintained by: a recognised external dispute resolution
scheme; an enforcement body; or a debt collector. An
enforcement body will be an APP entity, and, if the other
recipients are also an APP entity, they will be subject to the
APPs. A recipient who is a person who is a guarantor is
likely to be an individual and exempt from the Act, while a
mortgage credit assistance scheme is expected to be a State or
Territory agency and exempt from the Act.

Key terms
that refer to personal information in the credit reporting
system

There are
a number of definitions associated with the credit reporting
provisions that provide explanations of the terms to assist
understanding and ensure that only the precisely defined kinds of
personal information are held in the credit reporting system.
This is consistent with the prescriptive nature of the credit
reporting system. Many of these definitions are linked.
This reflects the way in which personal information in the credit
reporting system is maintained and used. In particular, both
credit reporting bodies and credit providers use the personal
information they collect to derive their own assessments of the
individual’s credit worthiness. In this context, it is
understood that to derive means to use the personal information to
determine some sort of credit score or rating (or other relevant
personal information) that usually relates to the perceived credit
risk of the individual for the purpose of considering the
individual’s credit worthiness. The aggregation of
personal information in this way gives credit providers a better
understanding of an individual’s credit worthiness. In
the same way that the different kinds of personal information in
the credit reporting system are pulled together, the definitions of
terms used to refer to those kinds of personal information must
also be linked rather than stand alone. Despite the number of
specific definitions of terms that are used in the credit reporting
provisions, only four key terms deal with the accumulation of
relevant personal information through the information flows that
make up the credit reporting system.

Diagram
2 , below,
provides a simple illustration of the relationship of the key terms
to the information flows in the credit reporting system, as well as
their relationship to credit providers, credit reporting bodies and
authorised information recipients. For simplicity,
diagram 2 does not represent all the information flows in the
credit reporting system (as set out in diagram 1). The credit
reporting provisions set out the circumstances in which the
different types of personal information can be collected, used or
disclosed.

Diagram 2
- key terms that refer to personal information in the credit
reporting system

(a)
credit information

Credit
information is the basic category of personal information in the
credit reporting system. The term credit information brings
together a defined list of certain kinds of personal information
that are relevant to the credit reporting system. However,
any information that would fall within the definition of sensitive
information in the Act is expressly excluded from credit
information. The following types of personal information
included in the definition of credit information are also
separately defined: identification information; consumer credit
liability information; repayment history information; information
requests, as well as information about the type and amount of
credit sought in the application; default information; payment
information; new arrangement information; court proceedings
information; and personal insolvency information. The five new
types of personal information that comprise the more comprehensive
credit reporting reforms are captured as part of consumer credit
liability information and repayment history information. In
addition, credit information includes two other types of personal
information: information about certain publicly available
information about the individual that relates to the
individual’s activities in Australia and their credit
worthiness; and information that is the opinion of a credit
provider that the individual has committed a serious credit
infringement (which is itself a defined term).

Credit
reporting bodies hold and maintain credit reporting
information. Credit providers collect credit information from
individuals who apply for credit. This credit information is
disclosed to credit reporting bodies that compile the credit
information about an individual collected from credit
providers. Credit reporting information consists of two
categories of personal information; the credit information about an
individual that was disclosed to the credit reporting body by
credit providers; and CRB derived information. CRB derived
information means any personal information about an individual
(that is not sensitive personal information) that the credit
reporting body derives from the credit information about the
individual held by the credit reporting body. However, the
personal information must have some bearing on the
individual’s credit worthiness and be used to establish the
individual’s eligibility for consumer credit.

Credit
providers hold and maintain credit eligibility information, which
is the final product of the flow of credit information through the
credit reporting system. Credit reporting bodies disclose credit
reporting information to credit providers in defined
circumstances. A credit provider that receives credit
reporting information generally performs its own analysis of that
information in relation to the individual’s credit
worthiness. This is CP derived information - personal
information (which cannot include sensitive information) derived
from the credit reporting information provided to the credit
provider which has some bearing on the individual’s credit
worthiness and can be used to establish the individual’s
eligibility for consumer credit. Credit eligibility
information consists of the credit reporting information provided
to the credit provider by the credit reporting body and the CP
derived information.

An
affected information recipient is a term used to refer to certain
entities or persons that may be (apart from trade insurers)
provided with credit eligibility information in certain
circumstances. Where the affected information recipient is a
mortgage insurer, they may also be provided with credit reporting
information by a credit reporting body in certain
circumstances. Where the affected information recipient is a
trade insurer, they may be provided with credit reporting
information by a credit reporting body in certain
circumstances. The term regulated information refers to these
types of personal information in the hands of the affected
information recipient, and in relation to which certain obligations
are imposed. The circumstances in which disclosures can be
made to affected information recipients are narrowly
prescribed. The term ‘affected information
recipients’ refers to a variety of entities or persons, and
these entities and persons are subject to obligations in relation
to their privacy policy, to provide notice to individuals about
certain matters, and in relation to the use and disclosure of
regulated information.

Relationship
of credit reporting provisions to the APPs

The credit
reporting provisions that apply to credit reporting bodies
completely replace the APPs in relation to the types of personal
information to which they apply. However, the provisions for
credit providers take a different approach. The credit
reporting provisions apply to all credit providers (and, in special
cases, to other entities or persons, such as those entities or
persons that fall within the definition of an affected information
recipient) in relation to the types of personal information to
which they apply. In addition, those credit providers that
are also APP entities may also be subject to some APPs depending on
the circumstances. Provisions have been inserted to clarify
the relationship of particular credit reporting provisions to the
APPs. Each provision in Division 3 on credit providers that
deals with matters that are also covered by one or more of the APPs
contains a provision that clarifies the relationship of that
provision with the relevant APPs. In most cases, the
provision makes clear that the credit reporting provision replaces
the relevant APP in relation to the particular kind of personal
information that is regulated. This difference in approach is
due to the very different roles of the parties in the credit
reporting system. Credit reporting bodies are central to the system
and require rules that apply to every aspect of the system.
However, credit providers take part in the credit reporting system
for the purpose of providing or managing credit, and their primary
obligations in relation to personal information are established by
the APPs. For credit providers, the credit reporting rules
apply over the top of the APPs in relation to the kinds of personal
information regulated in the credit reporting system. In
relation to all other kinds of personal information the APPs will
apply.

Access,
correction and complaints procedures

Specific
access, correction and complaints provisions set out obligations of
credit reporting bodies and credit providers. The main
feature of these provisions is that a credit reporting body or a
credit provider that receives a correction request from the
individual is, where necessary, required to undertake appropriate
consultations with other credit reporting bodies or credit
providers to assist in resolving the correction request.
Consultations will be necessary where the body or provider that
receives the correction request does not itself hold the relevant
information nor have evidence supporting the information. It
will be necessary for credit reporting bodies and credit providers
to develop appropriate systems to ensure that correction requests
are dealt with quickly and efficiently. In addition, a
substantiation obligation is imposed where a correction request is
refused. This means that evidence must be provided to the
individual demonstrating the accuracy of the information for which
correction has been refused. Finally, obligations around
complaints have been developed to ensure that individuals are
informed of their options to lodge a complaint with an approved
external dispute resolution service or with the Commissioner, using
the procedures set out in Part V of the Act.

Civil
penalties and offences

There was
previously a number of credit reporting offences (criminal
offences) in relation to the credit reporting provisions.
These provisions have been removed and replaced with civil penalty
provisions were appropriate. However, where the nature of the
conduct that is to be prohibited justifies an offence provision,
such provisions have been inserted - see clauses 20P and 21R in
relation to the use and disclosure of false and misleading
information and clauses 24 and 24A in relation to the unauthorised
obtaining of information from a credit reporting body or credit
provider. In each case, civil penalty provisions have also
been inserted in relation to the same conduct. The insertion
of both offences and civil penalties allows the appropriate remedy
to be sought depending on the particular circumstances of each
case.

Transitional
arrangements

Transitional
arrangements are set out in schedule 6. Of particular
relevance to the credit reporting provisions is the proposed
capture of repayment history information prior to
commencement. On commencement credit providers will be
permitted to disclose to credit reporting bodies repayment history
information dating back to the date of Royal Assent. As the
commencement period will be 9 months, this means that credit
providers will be able to disclose approximately 9 months of
repayment history information. The purpose of permitting this
arrangement is to provide a meaningful amount of data on repayment
history from the commencement of the new credit reporting
system.

Credit
reporting information that has been de-identified

De-identified
information is not a defined term. However, credit reporting
information held by credit reporting bodies that is de-identified
is subject to specific regulation by clause 20M. The
de-identification of personal information as an alternative to
destruction is an option provided in the APPs, and credit providers
are also permitted to de-identify credit information or credit
eligibility information by the credit reporting provisions.
However, when credit reporting bodies de-identify credit reporting
information, the use and disclosure of that information by credit
reporting bodies is regulated.

Notes on
Clauses

Item
1
Before section 6

This item
inserts the Division heading for the general
definitions.

Item 2
Subsection 6(1)

This item
inserts a cross-reference to the definition of access seeker
in subclause 6L(1).

Item 3
Subsection 6(1)

This item
inserts the definition of affected information
recipient . The term ‘affected information
recipient’ has been used to refer collectively to a number of
different entities or persons to whom certain personal information
is disclosed (known as ‘regulated information’) by
credit reporting bodies or credit providers in certain
circumstances set out in Divisions 2 and 3. Division 4
contains provisions dealing with the handling of ‘regulated
information’ by affected information recipients. An
affected information recipient is a mortgage insurer, a trade
insurer, a related body corporate of a credit provider (as referred
to in paragraph 21G(3)(b)), a person who manages credit
provided by a credit provider (as referred to in paragraph
21G(3)(c)), or an entity or a professional legal adviser or
professional financial adviser for the entity (as referred to in
paragraph 21N(2)(a)) to whom the credit provider discloses credit
eligibility information for certain purposes dealing with
assignment of debts, acceptance of debts, or purchasing an interest
in the provider.

Item 4
Subsection 6(1)

This item
inserts a cross-reference to the definition of amount of
credit in subclause 6M(2).

Item 5
Subsection 6(1)

This item
clarifies that a reference to the Bankruptcy Act means the
Bankruptcy Act 1966 .

Item 6
Subsection 6(1)

This item
inserts a cross-reference to the definition of ban period in
subclause 20K(3).

Item 7
Subsection 6(1) (definition of commercial
credit )

This item
repeals the existing definition of commercial credit and inserts a
new definition of commercial credit . The term
‘commercial credit’ is used in other definitions,
including the definition of ‘trade insurance purpose’
(see item 64) and ‘trade insurer’ (see item
65).

‘Commercial
credit’ is any credit other than consumer credit that is
applied for, or provided to, a person. This means that any
credit that is not ‘consumer credit’ is, for the
purposes of the credit reporting provisions, taken to be commercial
credit. Note that the definition of ‘consumer
credit’ has been expanded to include credit obtained to
acquire, maintain, renovate or improved residential property for an
investment purposes or to refinance consumer credit provided for
this purpose. This means that credit obtained for residential
property investment purposes (that satisfies the criteria set out
in the definition of ‘consumer credit’) is not
commercial credit.

Item 8
Subsection 6(1)

This item
inserts a definition of commercial credit related
purpose . This definition is linked to the term
‘commercial credit’. Credit reporting bodies may
disclose credit reporting information to a credit provider where
the provider requests the information for a commercial credit
related purpose (see subclause 20F(1)) and the individual expressly
consents to the disclosure. Where the relevant credit
reporting information was disclosed to the credit provider for a
commercial credit related purpose, the credit provider can then use
the credit eligibility information for that purpose (see subclause
21(H)). A credit provider can also disclose credit
eligibility information to another credit provider for a commercial
credit related purpose (see subclause 21J(1)) and the individual
expressly consents to the disclosure.

A credit
provider has a commercial credit related purpose in relation to a
person if the purpose is to assess an application for commercial
credit made by that person to the provider, or to collect payments
that are overdue in relation to the commercial credit provided by
the provider to that person.

Item 9
Subsection 6(1)

This item
inserts the definition of consumer credit . This
definition is, along with the definition of ‘credit
worthiness’, central to the purpose of the credit reporting
system, which is established to allow credit providers to use
certain personal information to determine an individual’s
‘credit worthiness’ and establish the
individual’s eligibility for consumer credit.

The
definition of ‘consumer credit’ has two parts.
Consumer credit is credit for which an individual has made an
application to a credit provider, or credit that has been provided
to an individual by a credit provider, in the course of the credit
provider carrying on a business or undertaking as a credit
provider. In addition, the credit that is applied for or
which is provided must be intended to be used wholly or primarily
for certain purposes. These purposes are: for personal,
family or household purposes; to acquire, maintain, renovate or
improve residential property for investment purposes; or to
refinance consumer credit that has been provided wholly or
primarily to acquire, maintain, renovate or improve residential
property for investment purposes.

Any credit
that does not fall within this definition is ‘commercial
credit’.

The term
‘consumer credit’ replaces the former definition of
‘credit’. The credit reporting provisions have,
from their insertion into the Act, applied to credit that an
individual intends to use wholly or primarily for personal, family
or household purposes. However, the definition has now been
broadened to include credit obtained for the purposes of investing
in residential property and related purposes as set out in the
definition. Extending the application of the credit reporting
system to these credit transactions is consistent with the National
Consumer Credit Protection Act, which protects these types of
credit transactions. Formerly, credit transactions in
relation to residential property for investment purposes would have
been considered commercial credit transactions. However,
extending the protection of NCCP Act to these types of credit
transactions recognised that consumers formed a significant segment
of the residential investment property credit transactions.
Accordingly, it is appropriate to extend the definition of consumer
credit to ensure that the personal information of individuals
undertaking these transactions is also adequately protected by the
credit reporting provisions.

Item
10
Subsection 6(1)

This item
inserts the definition of consumer credit liability
information . The term ‘consumer credit liability
information’ comprises one of the most significant parts of
an individual’s ‘credit information’ (see clause
6N). ‘Consumer credit liability information’ sets
out the important information about an individual’s credit
obligations. Previously, in relation to the description of
the individual’s credit obligations, only the name of an
individual’s credit provider was permitted to be included as
part of the individual’s personal information in the credit
reporting system. This definition now permits certain other
types of information to be included along with the credit
provider’s name. These types of information are four of
the new types of personal information about an individual that are
permitted in the move to a more comprehensive credit reporting
system. The fifth new type of information, repayment history
information, is separately defined.

The
definition of ‘consumer credit liability information’
refers to certain information about the consumer credit that a
credit provider provides to an individual. Any information
about an individual’s commercial credit cannot be included in
an individual’s consumer credit liability information.
The definition sets out the types of information that can be
included as consumer credit liability information, as
follows.

The name
of the credit provider allows identification of the credit provider
that provides consumer credit to an individual, so that, for
example, written notes of disclosures by credit reporting bodies
can clearly identify the credit provider to which credit reporting
information has been disclosed.

Whether
the credit provider is a licensee is also included in the
definition. ‘Licensee’ is defined to have the
meaning given to the term by the NCCP Act. Inclusion of this
information is necessary to determine to which credit providers
repayment history information can be disclosed. Repayment
history information can only be disclosed to credit providers who
are licensees. This is because licensees are subject to
responsible lending obligations under the NCCP Act, and the
repayment history information is intended to assist those credit
providers meet those obligations. If it is not clear from an
individual’s consumer credit liability information that a
credit provider is a licensee, then repayment history information
about that individual should not be disclosed to that credit
provider.

The type
of consumer credit provided to the individual is included in the
definition. It is expected that the registered CR code will
set out common descriptors for use in describing different types of
consumer credit. This is not intended to be a detailed
description of the circumstances around the provision of
credit. While a general description of the type of credit is
permitted, it is expected that the description will provide
sufficient information to be useful for establishing an
individual’s credit worthiness - for example, mortgage
credit is a different type of credit to credit provided for
residential property investment.

The day on
which the consumer credit was entered into is included in the
definition. It is expected that this will generally refer to
the date on which the contract for consumer credit was entered,
although it is expected the registered CR code will provide more
details about this category - for example, if a contract is
not signed immediately but the credit is supplied, it is expected
that the day on which the consumer credit was entered into would
generally be the day the credit was available to the
individual.

The
definition of ‘consumer credit liability information’
includes the terms or conditions of the consumer credit that relate
to the repayment of the amount of credit. However, this
personal information can only be included where it is prescribed by
the regulations. If no regulations are made setting out the
appropriate terms and conditions that are permitted, then no
information about these matters can be included as part of an
individual’s consumer credit liability information. The
terms and conditions of an individual’s consumer credit are
likely to be many and varied. Only those terms and conditions
that would assist in determining an individual’s credit
worthiness are intended to be included. In this regard the
regulations may prescribe matters such as, for example, whether the
credit is repaid by interest only or by principal and interest,
whether the interest rate is fixed or variable, and whether the
credit is secured or unsecured. These matters, if included in
regulations, would provide more information to assist understanding
the type of consumer credit provided to the individual and, more
generally, along with the other information included in the
definition of consumer credit liability information, the nature of
an individual’s consumer credit liabilities. The
registered CR code may also provide more information on this the
terms or conditions to be included.

The
maximum amount of credit available under the consumer credit is
included in the definition. This does not refer to the
day-to-day balance for an individual’s credit account.
The maximum amount of credit indicates how much credit is available
to the individual, but does not indicate whether the individual has
used all the credit available. Different credit products may
supply credit in different ways and it may not be straightforward
to determine the maximum credit available. It is expected
that the registered CR code will provide guidance on how the
maximum amount of credit available is to be determined.

The day on
which the consumer credit is terminated or otherwise ceases to be
in force is the final type of information included in the
definition. This refers to the day the consumer credit is no
longer available to the individual because the consumer credit has
been terminated or otherwise ceases to be in force, not to the day
the individual has, for example, made the last repayment on
consumer credit (unless in the circumstances the day of the last
repayment means that the consumer credit ceases to be in
force). Depending on the type of consumer credit, in some
circumstances the individual may continue to have access to the
credit after repaying the credit. This means that the
consumer credit would not be taken as terminated until the
individual no longer had access to the credit. Credit
providers should clearly indicate to consumers the circumstances in
which their credit will be terminated or otherwise ceases to be in
force, and whether the consumer must take any action in addition to
making the final repayment to terminate the credit or for it to
otherwise cease to be in force. There may be other
circumstances in which the credit is terminated or otherwise ceases
to be in force - for example, the individual does an act that
is a serious credit infringement. The date that the consumer
credit is terminated or otherwise ceases to be in force is
necessary to calculate retention periods for consumer credit
liability information and other credit reporting information about
the individual. It is expected that the registered CR code
will provide additional guidance on determining the day on which
consumer credit is terminated and the other circumstances in which
the consumer credit ceases to be in force.

Item
11
Subsection 6(1)

This item
inserts the definition of consumer credit related
purpose . This term is linked to, and should be read with,
the definition of ‘consumer credit’. Credit
reporting bodies can disclose credit reporting information to
credit providers where the provider request the information for a
consumer credit related purpose under subclause 20F(1).
Credit providers can use credit eligibility information for a
consumer credit related purpose of the credit provider under
subclause 21G(2). The use and disclosure of certain personal
information for a consumer credit related purpose is central to the
operation and purpose of the credit reporting system.

A consumer
credit related purpose of a credit provider in relation to an
individual means either the purpose of assessing an application for
consumer credit made by the individual to the provider, or
collecting payments that are overdue in relation to consumer credit
provided by the provider to the individual.

The
definition of consumer credit related purpose limits the purposes
for which certain personal information may be uses or
disclosed. The definition sets out the only permitted
consumer credit related purposes. It would not be consistent
with the definition for credit reporting bodies to disclose credit
reporting information about an individual to credit providers on a
regular or continuous basis. Rather, the credit provider is
required to separately request the credit reporting body to
disclose the relevant personal information on each occasion where
the credit provider wishes to collect that personal
information. While a credit provider is permitted to use
credit eligibility information for the purpose of assisting an
individual to avoid defaulting (see clause 21H), it is expected
that the use for this purpose would only be necessary when the
provider has a basis for believing that the individual may be at
risk of defaulting. It would not be consistent with the
definition of consumer credit related purpose for the provider to
obtain regular disclosures from the credit reporting body simply to
monitor or check an individual’s overall credit worthiness or
behaviour.

Item
12
Subsection 6(1)

This item
inserts the definition of court proceedings
information . Information about court proceedings that is
held and maintained as part of an individual’s ‘credit
information’ (see clause 6N) must be directly related to
credit. It is not permissible for information about any
criminal law matters to be included in an individual’s credit
information, nor for information about any other matters, such as
commercial or civil law matters, unless the matter is related to
the credit provided to, or applied for, by the
individual.

This
provision only permits information about a judgement of an
Australian court - no foreign court information is permitted.
The judgement must be made, or given, against the individual in
proceedings, and the judgement must relate to any credit provided
to, or applied for, by the individual.

The
definition expressly refers only to judgments, not any other form
of, or stages in, court proceedings. This means that, for
example, an originating summons cannot be included in an
individual’s credit information as court proceedings
information because it is not a judgement (even though it is part
of the proceedings of the court).

Item
13
Subsection 6(1)

This item
inserts the definition of CP derived information . CP
derived information is any personal information about an individual
that is derived from credit reporting information that was
disclosed to the credit provider by a credit reporting body under
Division 2. In addition, to be CP derived information the
personal information must be information that has any bearing on
the individual’s ‘credit worthiness’, and be used
(or has been used, or could be used) to establish the
individual’s eligibility for ‘consumer
credit’.

To derive
information from other information (the source information) is to
obtain or deduce other personal information from the source
information. It is secondary information in that it is not
possible for a credit provider to produce CP derived information
without first having the source information about the individual
(in this case, the source information is credit reporting
information) to form the basis for the derivation process.
Generally, it is understood that CP derived information will
include a credit rating or score that has a bearing on the
individual’s credit worthiness by indicating the
provider’s analysis of the individual’s eligibility for
consumer credit. A provider is not limited to using only
credit reporting information to derive for CP derived information,
but may also use other information together with credit reporting
information to derive CP derived information about the individual
(such as, for example, the provider’s risk analysis that
takes into account other economic or commercial
factors).

CP derived
information cannot be ‘sensitive information’ as
defined in section 6(1). This prohibition applies to all
forms of sensitive information as set out in the definition of that
term. While, under the APPs, APP entities can generally
collect sensitive information with the consent of the individual,
this provision makes clear that sensitive information is prohibited
in the credit reporting system. To ensure this is the case it
is expected that sensitive information cannot form a part of the
information used by a credit provider to derive CP derived
information about an individual, or be considered in any way by a
provider in CP derived information.

Item
14
Subsection 6(1)

This item
inserts the definition of CRB derived information . CRB
derived information is personal information about an individual
derived by a credit reporting body from credit information about
the individual that is held by the credit reporting body. In
addition, to be CRB derived information it must have some bearing
on the individual’s ‘credit worthiness’, and be
used (or has been used, or could be used) to establish the
individual’s eligibility for consumer credit.

To derive
information from other information (the source information) is to
obtain or deduce other personal information from the source
information. It is secondary information in that it is not
possible for a credit reporting body to produce CRB derived
information without first having the source information about the
individual (in this case, the source information is credit
information) to form the basis for the derivation process.
Generally, it is understood that CRB derived information will
include a credit rating or score that has a bearing on the
individual’s credit worthiness by indicating the body’s
analysis of the individual’s eligibility for consumer
credit. A body is not limited to using only credit
information to derive for CRB derived information, but may also use
other information together with credit information to derive CRB
derived information about the individual (such as, for example, the
body’s risk analysis that takes into account other economic
or commercial factors).

CRB
derived information cannot be ‘sensitive information’
as defined in section 6(1). This prohibition applies to all
forms of sensitive information as set out in the definition of that
term. While, under the APPs, APP entities can generally
collect sensitive information with the consent of the individual,
this provision makes clear that sensitive information is prohibited
in the credit reporting system. To ensure this is the case it
is expected that sensitive information cannot form a part of the
information used by a credit reporting body to derive CRB derived
information about an individual, or be considered in any way by a
provider in CRB derived information.

Item
15
Subsection 6(1) (definition of credit )

This item
repeals the existing definition of credit and inserts a
cross-reference to the new definition of ‘credit’ in
subclauses 6M(1) and (3). The new definition of credit
replaces the former definition of ‘loan’. The
definition of credit includes the term ‘amount of
credit’ in subclause 6M(2).

Item
16
Subsection 6(1) (definition of credit card )

This item
replaces any references to the term ‘loans’ in the
definition of credit card with the term
‘credit’. The term ‘loans’ has been
repealed because this term has been replaced with
‘credit’.

Credit reporting bodies disclose credit reporting
information to credit providers in defined circumstances under
Division 2. It is understood that a credit provider
that collects credit reporting information performs its own
analysis on that information and may use it (either alone or
together with other information) to derive further information
about an individual’s credit worthiness that can be used to
establish the individual’s eligibility for consumer
credit. The personal information that results from this
process is CP derived information. Credit eligibility
information refers to these kinds of personal information about the
individual held by the credit provider. The obligations of
credit providers in relation to credit eligibility information are
set out in Division 3.

The
definition of credit eligibility information only includes credit
reporting information disclosed to the credit provider by a credit
reporting body. It does not include other credit-related
information that was, for example, collected directly from the
individual. That other credit-related information would not
be subject to the credit reporting provisions (but, if the provider
is an APP entity, would be subject to the APPs). In some
instances a credit provider may collect the same information from
different sources, for example from a credit reporting body and
from the individual. In these circumstances, the credit
provider will be required to distinguish between personal
information that is credit eligibility information (collected from
a credit reporting body) and other personal information they
collect.

Item
18
Subsection 6(1) (definition of credit
enhancement )

This item
replaces the reference to the term ‘a loan’ in the
definition of credit enhancement with the term
‘credit’. The term ‘loan’ has been
repealed because this concept has been replaced with
‘credit’.

This item
replaces the references to the term ‘the loan’ in the
definition of credit enhancement with the term ‘the
credit’. The term ‘loan’ has been repealed
because this concept has been replaced with
‘credit’.

Item
20
Subsection 6(1)

This item
inserts the definition of credit guarantee purpose . An
individual may wish to act as guarantor for credit provided to
another person. The individual may offer the guarantee either
at the time the other person applies for the credit, or after the
credit has been provided to the other person. An individual
who offers to act as a guarantor is offering to take on consumer
credit liabilities in relation to that credit applied for, or
provided to, the other person.

A credit
reporting body is permitted to disclose credit reporting
information to a credit provider that requests the information for
a credit guarantee purpose (see subclause 20F(1)). Where the
relevant credit reporting information was disclosed to the credit
provider for a credit guarantee purpose, the credit provider can
then use the credit eligibility information for that purpose (see
subclause 21(H)).

A credit
guarantee purpose means the purpose of assessing whether to accept
the individual as a guarantor for credit for which an application
has been made to, or which has been provided by, a credit provider
by a person other than the individual who is proposing to be a
guarantor.

Item
21
Subsection 6(1)

This item
inserts a cross-reference to the definition of credit
information in clause 6N.

Item
22
Subsection 6(1) (definition of credit information
file )

This item
repeals the definition of credit information file as the
term is no longer used. The concept of a file no longer
accurately reflects the way personal information is held and
maintained in the credit reporting system.

Item
23
Subsection 6(1) (definition of credit
provider )

This item
inserts a new cross-reference to the definition of credit
provider in clauses 6G to 6K, as these clauses replace the
previous definition of this term.

Item
24
Subsection 6(1) (definition of credit report )

This item
repeals the definition of credit report, as the term is no
longer used. The concept of a credit report no longer
accurately reflects the way personal information is held or
maintained in the credit reporting system.

Item
25
Subsection 6(1) (definition of credit reporting
agency )

This item
repeals the definition of credit reporting agency as it has
been replaced by the term ‘credit reporting
body’.

Item
26
Subsection 6(1)

This item
inserts the definition of credit reporting body, which
replaces the previous definition of ‘credit reporting
agency’. The reference to ‘agency’ in the
previous term has been replaced with ‘body’ to ensure
that there is no confusion with Government agencies, particularly
now that the definition provides for an agency to be a credit
reporting body if it is prescribed by regulations. A credit
reporting body is either an organisation that carries on a
‘credit reporting business’ or an agency prescribed by
the regulations that carries on a ‘credit reporting
business’ (as defined in clause 6P). A credit reporting
body is subject to the obligations set out in Division
2.

It is not
anticipated that any agencies will be prescribed by the
regulations. However, this provision provides the option of
prescribing an agency in the future if any agency is established
as, or identified to be, a credit reporting body. An agency
that is a credit reporting body will be subject to the same
regulatory requirements as an organisation or small business
operator that is a credit reporting body.

A credit
reporting body that is a small business operator will be treated as
an organisation for the purposes of the Act. The definition
of ‘organisation’ in section 6C excludes a small
business operator. However, subsection 6D(4) specifies
certain entities that are not small business operators and hence
which are treated as organisations. Item 68 amends subsection
6D(4) by adding an additional paragraph referring to a credit
reporting body. This means that a credit reporting body that
is a small business is not, for the purposes of the Act, a small
business operator. It is appropriate that small business
operators are permitted to be credit reporting bodies and play a
role in the credit reporting system. However, those small
business operators should be subject to the obligations in the Act
that apply to other organisations, such as the APPs, and the
obligations in the Act that apply to credit reporting bodies, in
particular, the obligations set out in Part IIIA of the
Act.

Item
27
Subsection 6(1) (definition of credit reporting
business )

This item
repeals the existing definition of credit reporting business
and inserts a cross-reference to the new definition of
‘credit reporting business’ in clause 6P.

Item
28
Subsection 6(1)

This item
inserts the definition of credit reporting
information . Credit reporting bodies hold and maintain credit
reporting information, which is personal
information. Credit
reporting information about an individual consists of ‘credit
information’ that was disclosed to the credit reporting body
by the credit provider, as well as ‘CRB derived
information’.

Credit providers collect credit information from
individuals who apply for credit. This credit information may
be disclosed in certain circumstances (under Division 3) to credit
reporting bodies that compile the credit information about an
individual collected from credit providers. It is understood
that a credit reporting body that collects credit information
performs its own analysis on that information and may use it
(either alone or together with other information) to derive further
information about an individual’s credit worthiness that can
be used to establish the individual’s eligibility for
consumer credit. The personal information that results from
this process is CRB derived information. Credit reporting
information refers to these kinds of personal information about the
individual held by the credit reporting body. The obligations
of credit reporting bodies in relation to credit reporting
information are set out in Division 2.

Item
29
Subsection 6(1)

This item
inserts the definition of credit worthiness . This
definition is, along with the definition of ‘consumer
credit’, central to the purpose of the credit reporting
system, which is established to allow credit providers to use
certain personal information to determine an individual’s
‘credit worthiness’ and to establish the
individual’s eligibility for consumer credit. The term
‘credit worthiness’ is used in the definitions of
‘CP derived information’ and CRB derived
information’. These definitions refer to information
that has a bearing on an individual’s credit worthiness and
is, has or could be used in establishing the individual’s
eligibility for consumer credit. Accordingly, personal
information about the individual in the credit reporting system
that is held and maintained by credit reporting bodies in the form
of ‘credit reporting information’ (under
Division 2) and credit providers in the form of ‘credit
eligibility information’ (under Division 3) includes
information that has a bearing on an individual’s credit
worthiness and is, has or could be used in establishing the
individual’s eligibility for consumer credit.

There are
three components to the definition of an individual’s credit
worthiness. These matters are the individual’s:
eligibility to be provided with consumer credit; history in
relation to consumer credit’; or capacity to repay an amount
of credit that relates to consumer credit.

Item
30
Subsection 6(1) (definition of current credit
provider )

This item
repeals the definition of current credit
provider .

This
definition is no longer required. The definition of
‘consumer credit liability information’ includes
information about an individual’s credit provider in relation
to the individual’s existing consumer credit
liabilities. This means that any credit provider included
consumer credit liability information is a current credit provider
in relation to an individual.

Item
31
Subsection 6(1)

This item
inserts a cross-reference to the definition of default
information in clause 6Q.

This item
repeals the definition of eligible communications service,
as this term is no longer used in the credit reporting
provisions.

Item
33
Subsection 6(1) (definition of guarantee )

This item
repeals the existing definition of guarantee and replaces it
with a new definition that is consistent with the new terms now
used in the credit reporting provisions. Specifically, the
definition, which provides that a guarantee includes an indemnity
given against the default of a person in making a payment in
relation to credit, now concludes by making clear that it is a
payment in relation to credit that has been applied for by, or
provided to, the person for whom the individual is or will be
guarantor.

Item
34
Subsection 6(1)

This item
inserts the definition of identification information .
Identification information is a type of information that is
included in the definition of ‘credit information’ (see
clause 6N). While the personal information included in this
definition does not itself directly refer to an individual’s
credit obligations, it is necessary to include this personal
information in credit information to ensure that the individual can
be effectively identified and linked to other personal information
about their credit obligations included in their ‘credit
information’. Credit reporting bodies cannot collect
identification information about individuals without collecting or
holding other credit information, and can only collect
identification information about individuals who are under the age
of 18 in certain circumstances (see clause 20C).

The term
‘identification information’ refers to those types of
personal information about an individual that are listed in the
definition. No other personal information may be included as
identification information in an individual’s credit
information, and hence in the credit reporting system.

Identification
information about an individual means: the individual’s full
name; any alias or previous name of the individual; the
individual’s date or birth; and the individual’s
sex. In addition, the definition includes the
individual’s current or last known address, and two previous
addresses, if any; the name of the individual’s current or
last known employer; and the individual’s driver’s
licence number (if the individual holds a licence).

The
definition does not include any more than two previous addresses
for an individual. While there may be circumstances in which
an individual may change addresses relatively frequently in a
period of time, it is considered that only including the
individual’s current address and two previous addresses in
the individual’s identification information sufficiently
balances the need to identify the individual accurately with the
individual’s interests in maintaining the privacy of the
individual’s previous addresses. This restriction also
ensures that there is no possibility of a history of the
individual’s addresses being compiled.

Item
35
Subsection 6(1)

This item
inserts a cross-reference to the definition of information
request in clause 6R.

Item
36
Subsection 6(1)

This item
inserts a cross-reference to the definition of interested
party in subclauses 20T(3) and 21V(3) (which deal with
consultation by a credit reporting body or a credit provider
respectively, following an individual’s correction
request).

Item
37
Subsection 6(1)

This item
states that ‘licensee’ has the meaning given by
the NCCP Act.

Repayment
history information can only be disclosed in circumstances where
the disclosing credit provider, or the recipient of the information
from a credit reporting body, is a licensee. The reason for
this is that licensees are subject to responsible lending
obligations under the NCCP Act, and the repayment history
information is intended to assist those credit providers in meeting
those obligations. Credit providers can only disclose
repayment history information to a credit reporting body if the
credit provider is a licensee (see paragraph 21D(3)(c)), and
can only disclose repayment history information as part of credit
eligibility information if the recipient is a licensee (see
paragraph 21G(5)(a) - but note that a disclosure to a
mortgage insurer is permitted by clause 21L). Credit
reporting bodies can only disclose repayment history information to
a credit provider that is a licensee (see subclause 20E(4)).
Defining the term ‘licensee’ by referring to its
meaning in the NCCP Act ensures that there is a single source for
the meaning of the term which assists in identifying a
licensee.

Item
38
Subsection 6(1) (definition of loan )

This item
repeals the definition of loan as the term has been replaced
by the term ‘credit’.

Item
39
Subsection 6(1)

This item
inserts the definition of managing credit . A credit
provider is permitted to disclose credit eligibility information to
a person who manages credit provided by the credit provider for use
in managing that credit (see subclause 21G(3)). A person who
manages credit is included in the definition of an ‘affected
information recipient’ and is subject to the obligations in
Division 4, and in particular clause 22E dealing with the use or
disclosure of credit eligibility information by credit
managers. Agents of credit providers and securitisation
entities may also manage credit(see clauses 6H and 6J).

The
definition operates by excluding certain matters from the meaning
of ‘managing credit’. An act relating to the
collection of overdue payments in relation to credit is excluded
from the meaning of ‘managing credit’. The
collection of overdue payments is specifically regulated by clause
21M, which provides for disclosures by credit providers of certain
limited types of credit eligibility information to debt
collectors. It would undermine the protection afforded to
credit eligibility information and the operation of clause 21M if a
debt collector could also collect credit eligibility information in
the guise of managing credit.

In general
terms, it is understood that a credit manager is someone who
manages credit for a credit provider (but is not an agent of the
credit provider), and to whom disclosures are permitted for that
purpose. The acts that constitute managing credit are likely
to vary depending on the services that a credit manager has agreed
to provide to a credit provider. This may vary, for example,
from providing all matters relating to the management of credit to
only some specific matters. For example, a credit manager may
supply a credit provider with customer management or customer
assistance services, or may instead supply a variety of data
management or back-office services to a credit provider. A
credit provider should only disclose credit eligibility information
for use by the credit manager where that information is necessary
for the credit manager to manage the credit provided by the credit
provider. Not all acts that constitute managing credit will
require all credit eligibility information to be disclosed to the
credit manager, and credit eligibility information shouldn’t
be disclosed by credit providers to credit managers as a matter of
course.

Item
40
Subsection 6(1) (definition of mortgage
credit )

This item
repeals the definition of mortgage credit and replaces it
with a new definition that is consistent with the new terms now
used in the credit reporting provisions. Specifically, the
definition now refers to ‘consumer credit’ as the
definition of this term now includes credit for which an individual
has made an application, or credit which the individual has been
provided, for purposes relating to residential property for
investment purposes. The term ‘mortgage credit’
is used in the definition of ‘mortgage insurance
purpose’ and ‘mortgage insurer’ (see items 41 and
42) and is also used in provisions dealing with the collection, use
and disclosure of personal information by credit reporting bodies
(see Division 2) and credit providers (see Division 3).

Item
41
Subsection 6(1)

This item
inserts the definition of mortgage insurance
purpose .

A credit
provider can disclose credit eligibility information to a mortgage
insurer for a mortgage insurance purpose (see clause 21L), and a
credit reporting body can disclose credit reporting information to
a mortgage insurer where the mortgage insurer requests it for a
mortgage insurance related purpose (see subclause 20F(1)).
This definition is necessary to assist the understanding of a
mortgage insurance related purpose. A mortgage insurance
purpose is the purpose of assessing: whether to provide insurance
to, or the risk of insuring, a credit provider in relation to
mortgage credit in certain circumstances; the risk of an individual
defaulting on mortgage credit for which the insurer has provided
insurance; or the risk of an individual being unable to meet a
guarantee provided or proposed to be provided in relation to
mortgage credit.

Item
42
Subsection 6(1) (definition of mortgage
insurer )

This item
repeals the definition of mortgage insurer and replaces it
with a new definition that is consistent with the new terms now
used in the credit reporting provisions. A mortgage insurer
carries on a business or undertaking that involves providing
insurance to credit providers in relation to mortgage credit
provided by credit providers to other persons.

In
addition, the definition of ‘mortgage insurer’ now
clearly includes a small business operator that meets the
requirements of this definition, along with any organisation.
This is to ensure effective protection of personal information in
the credit reporting system, whether the personal information is
held or maintained by a small business operator or an
organisation.

Item
43
Subsection 6(1)

This item
inserts a cross-reference to the definition of the National
Personal Insolvency Index in the Bankruptcy Act (which
has been defined to mean the Bankruptcy Act
1966 ).

Item
44
Subsection 6(1)

This item
inserts a cross-reference to the definition of new arrangement
information in clause 6S.

Item
45
Subsection 6(1)

This item
inserts a cross-reference to the definition of payment
information in clause 6T.

Item
46
Subsection 6(1)

This item
inserts a cross-reference to the definition of penalty unit
in section 4AA of the Crimes Act 1914 to ensure that the
term has the same meaning.

Item
47
Subsection 6(1)

This item
inserts the definition of pending correction request .
The correction procedures set out in Divisions 2 and 3 permit an
individual to make a request for the correction of certain personal
information to a credit reporting body or a credit provider and for
the recipient of the request to make a decision on the correction
request, after, if necessary, consulting any other credit reporting
body or credit provider. However, credit reporting bodies
have obligations to destroy or de-identify credit reporting
information after the retention period for the information has
ended (see clause 20V). Destruction or de-identification
while a correction request is unresolved would not be
appropriate. Accordingly, paragraph 20V(5)(a) deals with the
situation where a credit reporting body would otherwise be required
to destroy or de-identify information and a correction request is
unresolved. It is necessary to have a defined term of
‘pending correction request’ for this purpose. In
addition, clause 20Z imposes certain obligations on credit
reporting bodies in relation to dealing with information if there
is a pending correction request. As the destruction or
de-identification obligations apply to credit reporting bodies, the
definition of pending correction request is only focussed on the
correction of personal information about an individual that may be
held by a credit reporting body - that is, credit information
or CRB derived information.

A pending
correction request in relation to credit information or CRB derived
information is a request made under subclause 20T(1) (which
provides that an individual may request the correction of credit
reporting information) in relation to which a notice informing the
individual of the credit reporting body’s decision (to
correct the information or not correct the information) has not
been given under clause 20U. A pending correction request
also means a request made under subclause 21V(1) (which provides
that an individual may request the correction of credit eligibility
information) where a credit reporting body has been consulted under
that clause and in relation to which a notice informing the
individual of the credit provider’s decision (to correct the
information or not correct the information) has not been given
under clause 21W.

Item
48
Subsection 6(1)

This item
inserts the definition of pending dispute . Division 5
contains provisions dealing with complaints by individuals to
credit reporting bodies or credit providers about a breach of Part
IIIA. Other credit reporting bodies or credit providers must
be consulted about a complaint where necessary. In addition,
a complaint may be made to a recognised external dispute resolution
scheme or to the Commissioner under Part V of the Act.
However, credit reporting bodies have obligations to destroy or
de-identify credit reporting information after the retention period
for the information has ended (see clause 20V). Destruction
or de-identification while a dispute is unresolved would not be
appropriate. According, paragraph 20V(5)(b) deals with
the situation where a credit reporting body would otherwise be
required to destroy or de-identify information and a there is an
unresolved complaint. It is necessary to have a defined term
of ‘pending dispute’ for this purpose. In
addition, clause 20Z imposes certain obligations on credit
reporting bodies in relation to dealing with information if there
is a pending dispute. As the destruction or de-identification
obligations apply to credit reporting bodies, the definition of
pending dispute is only focussed on a dispute about an
individual’s personal information that may be held by a
credit reporting body - that is, credit information or CRB
derived information.

A pending
dispute in relation to credit information or CRB derived
information means: a complaint made under clause 23A that relates
to the information if a decision about the complaint has not been
made under subclause 23B(4); or complaint or other matter relating
to the information that is being dealt with by a recognised
external dispute resolution scheme; or a complaint made to the
Commissioner under Part V.

Item
49
Subsection 6(1)

This item
inserts a cross-reference to the definition of permitted CP
disclosure which has the meaning given to the term by clauses
21J to 21N.

Item
50
Subsection 6(1)

This item
inserts a cross-reference to the definition of permitted CP
use which has the meaning given to the term by clause
21H.

Item
51
Subsection 6(1)

This item
inserts a cross-reference to the definition of permitted CRB
disclosure which has the meaning given to the term by clause
20F.

Item
52
Subsection 6(1)

This item
inserts a cross-reference to the definition of personal
insolvency information which has the meaning given to the term
by clause 6U.

Item
53
Subsection 6(1)

This item
inserts a cross-reference to the meaning of pre-screening
assessment which has the meaning given to the term by paragraph
20G(2)(d).

Item
54
Subsection 6(1)

This item
inserts the definition of purchase . This definition
was previously at subsection 6(5D) (and has been repealed by
item 66). This term is used in the definitions of
‘securitisation arrangement’ and ‘securitisation
related purpose’. The term is defined to clarify that
‘purchase’ when used in relation to credit, includes the
purchase of rights to receive payments relating to the
credit. Where the term ‘purchase’ is used in
another context (for example, in subclause 21N(2) in relation to
purchasing an interest in a credit provider) this special meaning
does not apply.

Item
55
Subsection 6(1)

This item
inserts the definition of regulated information . An
‘affected information recipient’ is subject to certain
obligations set out in Division 4 in relation to ‘regulated
information’. The term ‘regulated
information’ is defined by reference to the types of personal
information that may be disclosed to affected information
recipients under Divisions 2 or 3. Generally,
re gulated
information is ‘credit eligibility information’ or
‘credit reporting information’ that has been disclosed
to affected information recipients.

An
affected information recipient is a term used to refer to certain
entities or persons that may be provided with credit reporting
information or credit eligibility information in certain
circumstances. Where the affected information recipient is a
mortgage insurer, a credit reporting body may disclose credit
reporting information to a mortgage insurer in certain
circumstances (see clause 20F). A credit provider may
disclose credit eligibility information to them in certain
circumstances (see clause 21L). Where the affected
information recipient is a trade insurer, a credit reporting body
may disclose credit reporting information to them in certain
circumstances (see clause 20F). Where the affected
information recipient is a related body corporate, a credit
provider may disclose credit eligibility information to them in
certain circumstances (see paragraph 21G(3)(b)). Where
the affected information recipient is a person who manages credit
for a credit provider, a credit provider may disclose credit
eligibility information to them in certain circumstances (see
paragraph 21G(3)(c)). Where the affected information
recipient an entity or adviser of an entity, a credit provider may
disclose credit eligibility information to them in certain
circumstances (see subclause 21N(2)).

Item
56
Subsection 6(1)

This item
inserts a cross-reference to the definition of repayment history
information which has the meaning given by subclause
6V(1).

Item
57
Subsection 6(1)

This item
inserts a cross-reference to the definition of residential
property in section 204 of the National Credit Code (within the
meaning of the National Consumer Credit Protection Act).

Item
58
Subsection 6(1)

This item
inserts the definition of respondent . This term is
used in Division 5 on complaints to identify the credit reporting
body or the credit provider to whom the complaint is made under
clause 23A.

Item
59
Subsection 6(1)

This item
inserts a cross-reference to the definition of retention
period which has the meaning given by clauses 20W and
20X.

This item
replaces part of the definition of securitisation
arrangement that previously used the term ‘loan’
with subparagraphs that use the term ‘credit’.
The term ‘loan’ has been repealed because this concept
has been replaced with ‘credit’.

This item
replaces any references to the term ‘loans’ in the
definition of securitisation arrangement , with the term
‘credit.’ The term ‘loan’ has been
repealed because this concept has been replaced with
‘credit’.

Item
62
Subsection 6(1)

This item
inserts the definition of securitisation related
purpose . This definition refers to the term
‘securitisation arrangement’. Credit reporting
bodies may disclose credit reporting information to a credit
provider where the provider requires the information for a
securitisation related purpose (see subclause 20F(1), and note that
the meaning of ‘credit provider’ for this purpose is
modified by subclause 6J(1)). Where the relevant credit
reporting information was disclosed to the credit provider for a
particular securitisation related purpose, the credit provider can
then use the credit eligibility information for that particular
purpose (see subclause 21(H)) or disclose credit eligibility
information to another credit provider (as defined by subclause
6J(1)) for a securitisation purpose in certain circumstances (see
subclause 21J(4)).

A credit
provider has a securitisation related purpose in relation to an
individual if the purpose is to: assess the risk in purchasing
credit provided to, or applied for by, an individual or a person
for whom the individual is or may be a guarantor; or to assess the
risk in undertaking credit enhancement in relation to credit that
is, or may be, purchased or funded by a securitisation arrangement
and that has been provided to, or applied for by, the individual or
a person for whom the individual is or may be a
guarantor.

Item
63
Subsection 6(1) (definition of serious credit
infringement )

This item
repeals the existing definition of serious credit
infringement and replaces it with a new definition that makes
certain changes to the requirements that must be satisfied before
an act of an individual will be a serious credit infringement, and
also uses terms that are consistent with the new terms now used in
the credit reporting provisions. Information about a
‘serious credit infringement’ can be included in an
individual’s ‘credit information’ (see clause 6N)
and the term is also used in relation to the collection, use and
disclosure of information about a serious credit infringement in by
credit reporting bodies (in Division 2) and credit providers (in
Division 3).

There are
three situations in which the definition of a serious credit
infringement can be satisfied. An act of an individual will
be a serious credit infringement where the act involves
fraudulently obtaining consumer credit, or attempting to
fraudulently obtain consumer credit. An act of an individual
will also be a serious credit infringement where the act involves
fraudulently evading, or attempting to evade, the
individual’s obligations in relation to consumer
credit. Both of these situations involve fraud on the part of
the individual.

The third
situation in which an act of an individual will be a serious credit
infringement includes a number of elements that must be
present. The individual must do an act that a reasonable
person would consider indicates an intention on the part of the
individual to no longer comply with the individual’s
obligations in relation to consumer credit provided by a credit
provider. In addition, the credit provider must take steps
that are reasonable in the circumstances to contact the individual
about the act, and the credit provider must have been unsuccessful
in contacting the individual. The third element is that at
least six months must have passed since the provider last had
contact with the individual. It is expected that in most
cases, where the serious credit infringement relates to an
outstanding amount owed by the individual, the earliest date that
the period of six months would be calculated from is the date that
the outstanding amount was due.

The
listing of a serious credit infringement as part of an
individual’s credit information has significant consequences
for the individual’s credit worthiness. Where a serious
credit infringement is based on fraudulent activity, this activity
alone is sufficient to justify listing a serious credit
infringement. However, where fraud is not involved, the
changes made to the definition which ensure that all reasonable
efforts are made to contact the individual and that 6 months has
passed since the provider last had contact with the individual
recognise that this situation is not as clear-cut as fraud and is
instead based on an act that a reasonable person would consider
indicates an intention on the part of the individual to no longer
comply with the individual’s consumer credit
obligations.

The
requirement for six months to have elapsed since the provider last
had contact with the individual before the act can be considered to
be a serious credit infringement provides a practical timeframe in
which the individual may be able to pay the debt before a serious
credit infringement is listed. In some situations, an
individual may have moved, for example at the end of a tenancy,
with the belief that all outstanding bills have been paid.
The individual may not be contactable because the credit provider
does not have a forwarding address. The individual may also
be willing to pay the outstanding amount and may find out about,
and pay, the amount once the credit provider has listed a default
in relation to the outstanding amount. Note that the credit
provider will be permitted to list a default in relation to the
outstanding amount owed by the individual after at least 60 days
have elapsed and the other requirements set out in the definition
of ‘default’ are satisfied. In these
circumstances, providing an appropriate period of time before the
credit provider can list a serious credit infringement will give
the individual the opportunity to pay the debt.

It is
expected that the registered CR code will provide guidance and
direction on relevant matters, such as: how to interpret whether a
credit infringement is ‘serious’ (for example, in
determining whether the individual’s conduct can be
considered fraudulent); how to establish whether reasonable steps
have been taken to contact an individual; how to calculate whether
at least six months has passed, and what constitutes the last
contact with the individual; and whether a serious credit
infringement should be listed where there is a dispute between the
parties that is not resolved; and the obligations on credit
providers to substantiate that a serious credit infringement has
occurred. However, the provisions of the registered CR code
must be consistent with other provisions in Part IIIA. This
means, for example, that where an individual makes a correction
request in relation to a serious credit infringement and this
request is refused, the credit reporting body or the credit
provider will need to provide evidence substantiating the
listing. The registered CR code, in dealing with the
obligations of credit reporting bodies and credit providers, should
deal with the information and evidence that should be provided to
substantiate a serious credit infringement.

Item
64
Subsection 6(1)

This item
inserts the definition of trade insurance
purpose .

A credit
reporting body can disclose credit reporting information to a trade
insurer for a trade insurance purpose where the individual has
expressly consented, in writing, to the disclosure of the
information to the insurer for the trade insurance purpose (see
clause 20F(1)). This definition is necessary to define the
trade insurance purpose. A trade insurance purpose is the
purpose of assessing: whether to provide insurance to, or the risk
of insuring, a credit provider in relation to commercial credit
provided by the provider to the individual or another person; or
the risk of a person defaulting on commercial credit for which the
insurer has provided insurance to the credit provider.

Item
65
Subsection 6(1) (definition of trade insurer )

This item
repeals the existing definition of trade insurer and inserts
a new definition that is consistent with the new terms now used in
the credit reporting provisions . A trade insurer
carries on a business or undertaking that involves providing
insurance to credit providers in relation to commercial credit
provided by credit providers to other persons.

In
addition, the definition of ‘trade insurer’ now clearly
includes a small business operator that meets the requirements of
this definition, along with any organisation. This is to
ensure effective protection of personal information in the credit
reporting system, whether the personal information is held or
maintained by a small business operator or an
organisation.

Item
66
Subsections 6(5A) to (5D)

This item
repeals subsections 6(5A), (5B) and (5C) as they have been replaced
by the definition of credit reporting business set out in clause
6P.

This item
also repeals subsection 6(5D), which refers to the meaning of
purchase of a loan. Item 54 inserts a definition of
‘purchase’ in subsection 6(1) based on the definition
in subsection 6(5D).

Item
67
Subsection 6(10)

Subsection
6(10) sets out the definition of family as used in the definition
of credit . This item replaces the term
‘credit’ with the term ‘consumer credit’ in
that definition as the definitions have been restructured and the
term ‘family’ is now used in the definition of
‘consumer credit’ rather than in the definition of
‘credit’.

Item
68 At
the end of subsection 6D(4)

This item
inserts a new paragraph at the end of subsection 6D(4) which refers
to a ‘credit reporting body’. This means that a
credit reporting body that is a small business operator will be
treated as an organisation for the purposes of the Act.

The
definition of ‘organisation’ in section 6C excludes a
small business operator. However, subsection 6D(4) specifies
certain entities that are not small business operators and hence
which are treated as organisations. This amendment adds an
additional paragraph to section 6D(4) referring to a credit
reporting body. This means
that a credit reporting body that is a small business is not, for
the purposes of the Act, a small business operator. It is
appropriate that small business operators are permitted to be
credit reporting bodies and play a role in the credit reporting
system. However, those small business operators should be
subject to the obligations in the Act that apply to other
organisations, such as the APPs, and the obligations in the Act
that apply to credit reporting bodies, in particular, the
obligations set out in Part IIIA of the Act.

Item
69
After section 6F

This item
inserts a new Division containing key definitions relating to
credit reporting.

Division 2
- Key definitions relating to credit reporting

Subdivision
A - Credit provider

This
Subdivision deals with the definitions of the term ‘credit
provider’. Clause 6G sets out the general definition of
‘credit provider’. Clauses 6H, 6J and 6K deal
with specific situations in which an organisation or small business
operator will also be considered to be a ‘credit
provider’ for the purposes set out in those
clauses.

Clause
6G Meaning of credit
provider

This
provision inserts the meaning of credit provider . The
general meaning of ‘credit provider’, certain
additional situations which extend the general meaning of
‘credit provider’, and certain exclusions to the
meaning of ‘credit provider’ are dealt with in this
provision.

Subclause
(1) sets out the general definition of ‘credit
provider’. Paragraph (a) states that a
‘bank’ is a credit provider, and ‘bank’ is
defined in section 6(1). Paragraph (b) states that an
organisation or small business operator that carries on a business
or undertaking of which a substantial part of that business or
undertaking is the provision of credit will be a credit
provider. In this
context, substantial connotes both value and proportion. An
organisation or small business operator could satisfy this aspect
of the definition where its activities relating to the provision of
credit involved substantial amounts of money, even if its lending
activities did not constitute the dominant part of the
corporation’s overall business. However, in order to be
a substantial part of the entity’s business, the loans
provided by a corporation would have to be an essential or
important part of its business, and not merely incidental to
it.

Paragraph
(c) deals with organisations or small business operators that issue
credit cards. Paragraph (c) provides that an organisation or
small business operator that carries on a retail business and
which, in the course of the business, issues credit cards to
individuals in connection with the sale of goods, or the supply of
services, by the organisation or small business operator will be a
credit provider.

Paragraph
(1)(d) provides that regulations may prescribe an agency,
organisation or small business operator that carries on a business
or undertaking that involves providing credit is a credit provider
for the purposes of clause 6G. This provision provides the
option of dealing with situations where an agency, organisation or
small business is involved in providing credit, but does not
satisfy the requirements of paragraph (1)(b). It is expected
that regulations will be made to prescribe Indigenous Business
Australia as a credit provider.

Subclause
(1) makes clear that small business operators are, if they satisfy
the requirements of the provision (in the case of paragraph (d),
this includes being prescribed by regulations), credit providers
that are subject to the credit reporting provisions. However,
a credit provider that is a small business operator may not be an
APP entity subject to the APPs depending on the nature of their
business and the operation of the small business exemption in
section 6D and related provisions. This is different to
the position for small business operators that are credit reporting
bodies, which are subject to both the credit reporting provisions
and the Act as a whole (including the APPs) because they are
excluded from the definition of a ‘small business
operator’ (see item 68).

Subclauses
(2), (3) and (4) deal with other situations in which an
organisation or small business operator may be a credit
provider. However, the organisation or small business
operator will be a credit provider only in relation to the
circumstances set out in these provisions. This means that
the organisation or small business operator is a credit provider
only for limited situations, and not for their whole business or
undertaking. These situations only apply if the organisation
or small business operator is not a credit provider under subclause
(1).

Subclause
(2) deals with situations in which an organisation or small
business operator (known in this provision as the
‘supplier’) provides credit in relation to the sale of
goods or the supply of services. If the supplier permits the
repayment, whether in full or in part, of the amount of credit to
be deferred for at least 7 days, and the supplier is not already a
credit provider under subclause (1), then the supplier will be a
credit provider, but only in relation to the credit which satisfies
this provision.

Subclause
(3) deals with situations in which an organisation or small
business operator (known in this provision as the
‘lessor’) provides credit in connection with the
hiring, leasing or renting of goods. If the lessor provides
such credit and the credit is in force for at least 7 days, and no
amount, or an amount that is less than the value of the goods, is
paid as a deposit for the return of the goods, and the lessor is
not already a credit provider under subclause (1), then the lessor
will be a credit provider, but only in relation to the credit which
satisfies this provision.

Subclause
(4) provides that an organisation or small business operator that
satisfies the requirements of clauses 6H, 6H and 6K is a credit
provider.

Subclauses
(5) and (6) set out situations in which an organisation or small
business operator are excluded from the meaning of credit provider,
even if they may satisfy any of the other provisions in clause
6G. Subclause (5) makes clear that any organisation or small
business operator that acts in the capacity of a real estate agent,
a general insurer (within the meaning of the Insurance Act
1973 ), or an employer of an individual is not a credit provider
while acting in that capacity. It is not consistent with the
objectives of the credit reporting system to permit personal
information in the credit reporting system to be disclosed or used
for any purpose of a real estate agent, a general insurer, or an
employer of an individual. In particular, personal
information in the credit reporting system must not be used in
relation to the management of rental properties, and this
prohibition includes any use for assessing potential tenants for
rental properties. To the extent that any other organisation
or small business operator that would otherwise be a credit
provider under clause 6G performs the functions of a real estate
agent, including the assessment of potential tenants for rental
properties, that organisation or small business operator would not
be a credit provider for that purpose. Collection, use or
disclosure by a credit reporting body or a credit provider for that
purpose would be a breach of the credit reporting provisions and
may, depending on the circumstances, be a credit reporting
offence. Similarly, an organisation or small business
operator that was acting in its capacity as an employer of an
individual would not be a credit provider for any employment
related purpose (including, for example, assessing an applicant for
a position in which the organisation or small business operator
would be the individual’s employer).

Subclause
(6) provides that regulations may specify that an organisation or
small business operator is not a credit provider if it is included
in a class of organisations or small business operators prescribed
by the regulations. The regulations will operate to ensure
that an organisation or small business operator is not a credit
provider despite the operation of subclauses (1) to (4), under
which the organisation or small business operator would otherwise
have been a credit provider.

Clause
6H Agents of credit
providers

This
provision sets out the circumstances in which an organisation or
small business operator that is acting as the agent of a credit
provider will be considered to be a credit provider while acting as
the credit provider’s agent.

Subclause
(1) provides that an organisation or small business operator will
be acting as an agent of a credit provider (the principal) if it is
performing, on the principal’s behalf, a task that is
reasonably necessary in processing an application for credit made
to the principal, or a task that is reasonably necessary in
‘managing credit’ provided by the principal.

Subclause
(2) limits the application of subclause (1). If an
organisation or small business operator is taken to be a credit
provider because it is already acting as the agent of another
credit provider (the principal), then any organisation or small
business operator that performs tasks for that agent does not
become a credit provider under the operation of subclause
(1). Essentially, this provision prevents the agent of an
agent becoming the agent of the principal credit provider for the
purposes of the credit reporting provisions.

Subclauses
(3) and (4) state the effect of the agent satisfying the
requirements to be a credit provider under subclause (1).
Subclause (3) provides that, where subclause (1) applies in
relation to credit provided by the principal, the credit is taken
for the purposes of the Act to have been provided by both the
principal and the agent. Subclause (4) provides that, where
subclause (1) applies in relation to an application for credit made
to the principal, the application for credit is taken for the
purposes of the Act to have been made to both the principal and the
agent.

This
provision makes clear that small business operators are, if they
satisfy the requirements of the provision, credit providers for the
purpose of this provision that are subject to the credit reporting
provisions. However, a credit provider that is a small
business operator may not be an APP entity subject to the APPs
depending on the nature of their business and the operation of the
small business exemption in section 6D and related
provisions. This is different to the position for small
business operators that are credit reporting bodies, which are
subject to both the credit reporting provisions and the Act as a
whole (including the APPs) because they are excluded from the
definition of a ‘small business operator’ (see item
68).

Clause
6J Securitisation
arrangements etc.

This
provision provides the circumstances in which an organisation or
small business operator that is a securitisation entity will be
considered to be a credit provider.

Subclause
(1) sets out the circumstances in which an organisation or small
business operator that is a securitisation entity will be a credit
provider. An organisation or small business operator that is
a securitisation entity must carry on a business that is involved
in either or both of: a ‘securitisation arrangement’;
or managing credit that is the subject of a securitisation
arrangement. The securitisation entity must also perform a
task that is reasonably necessary for either purchasing, funding or
managing, or processing an application for, credit by means of a
securitisation arrangement, or reasonably necessary for undertaking
‘credit enhancement’ in relation to credit. In
addition, the credit referred to must have been provided by, or be
the subject of an application to, the original credit
provider. In these circumstances, the securitisation entity
will be a credit provider while it performs any such task set out
above.

Subclause
(2) limits the application of subclause (1). If an
organisation or small business operator is taken to be a credit
provider because it is already acting as a securitisation entity of
another credit provider (the original credit provider), then any
organisation or small business operator that performs tasks for the
securitisation entity does not become a credit provider under the
operation of subclause (1).

Subclauses
(3) and (4) state the effect of the securitisation entity
satisfying the requirements to be a credit provider under subclause
(1). Subclause (3) provides that, where subclause (1) applies
in relation to credit provided by the original credit provider, the
credit is taken for the purposes of the Act to have been provided
by both the principal and the securitisation entity.
Subclause (4) provides that, where subclause (1) applies in
relation to an application for credit made to the original credit
provider, the application for credit is taken for the purposes of
the Act to have been made to both the principal and the
securitisation entity.

This
provision makes clear that small business operators are, if they
satisfy the requirements of the provision, credit providers for the
purpose of this provision that are subject to the credit reporting
provisions. However, a credit provider that is a small
business operator may not be an APP entity subject to the APPs
depending on the nature of their business and the operation of the
small business exemption in section 6D and related
provisions. This is different to the position for small
business operators that are credit reporting bodies, which are
subject to both the credit reporting provisions and the Act as a
whole (including the APPs) because they are excluded from the
definition of a ‘small business operator’ (see item
68).

Clause
6K Acquisition of the rights of
a credit provider

This
provision provides that an organisation or small business operator
which acquires the rights of a credit provider in relation to the
amount of credit will be considered to be a credit provider in
relation to that particular amount of credit.

Subclause
(1) sets out the circumstances in which an organisation or small
business operator that acquires the rights of a credit provider
will be taken to be a credit provider. Where the organisation
or small business operator (known as the acquirer) acquires
(whether by assignment, subrogation or any other means) the rights
of the original credit provider in relation to the repayment of an
amount of credit, then the acquirer will (subject to
paragraph (b)) be a credit provider only in relation to that
credit.

Paragraph
(1)(b) limits the application of paragraph (1)(a). If an
organisation or small business operator that is an acquirer is
already a credit provider under subclause 6G(1), then the acquirer
is not also a credit provider under subclause (1).

Subclauses
(2) and (3) state the effect of the acquirer satisfying the
requirements to be a credit provider under subclause (1).
Subclause (2) provides that, where subclause (1) applies in
relation to credit provided by the original credit provider, the
credit is taken for the purposes of the Act to have been provided
by both the original credit provider and the acquirer.
Subclause (3) provides that, where subclause (1) applies in
relation to an application for credit made to the original credit
provider, the application for credit is taken for the purposes of
the Act to have been made to both the original credit provider and
the acquirer.

This
provision makes clear that small business operators are, if they
satisfy the requirements of the provision, credit providers for the
purpose of this provision that are subject to the credit reporting
provisions. However, a credit provider that is a small
business operator may not be an APP entity subject to the APPs
depending on the nature of their business and the operation of the
small business exemption in section 6D and related
provisions. This is different to the position for small
business operators that are credit reporting bodies, which are
subject to both the credit reporting provisions and the Act as a
whole (including the APPs) because they are excluded from the
definition of a ‘small business operator’ (see item
68).

Subdivision
B - Other definitions

This
Subdivision sets out other key credit reporting
definitions.

Clause
6L Meaning of access
seeker

This
provision inserts the meaning of access seeker . The
term ‘access seeker’ is used to describe a person who
requests access to credit reporting information from a credit
reporting body (see clause 20R) or credit eligibility information
from a credit provider (see clause 21T), and is also used in
the offence provisions in Division 6.

Subclause
(1) provides that an access seeker in relation to credit reporting
information or credit eligibility information about an individual
is either the individual, or a person who is assisting the
individual to deal with a credit reporting body or credit
provider. Where it is a person assisting the individual, the
person must be authorised, in writing, by the individual to make
the access request in relation to the individual’s
information.

Subclause
(2) provides certain exceptions to subclause (1). An
individual is not permitted to authorise a person under subclause
(1) if the person is a credit provider, a mortgage insurer, a trade
insurer, or a person who is prevented from being a credit provider
by subclause 6G(5) or (6). The access provisions should
not be used by these persons because any access would circumvent
the provisions prescribing the circumstances in which these
entities or persons can collect, or are prohibited from collecting,
credit reporting information or credit eligibility information
about the individual. Subclauses 6G(5) and (6) prohibit a
real estate agent, a general insurer, or an employer from being a
credit provider, or any organisation or small business entity that
is prescribed by regulations from being a credit provider. A
person who is any of these cannot be authorised as an access seeker
for an individual.

Subclause
(3) provides that the National Relay Service is excluded from the
definition of ‘access seeker’. The National Relay
Service provides assistance to individuals to communicate with
others. If the National Relay Service is assisting an
individual to deal with a credit reporting body or credit provider
they would fall within subclause (1) and be required to be
authorised in writing by the individual. However, because of
the way the National Relay Service operates, the need for an
individual to give written authorisation may be problematic in some
situations. In these circumstances it would not be
appropriate to impose an obligation on an individual to authorise
the National Relay Service in writing before seeking the
Service’s assistance to communicate with a credit reporting
body or credit provider.

Clause
6M Meaning of credit and
amount of credit

This
provision inserts the meaning of credit and amount of
credit . The term ‘credit’ is central to the
credit reporting system and replaces the previous term
‘loan’. The term ‘amount of credit’
is used in the definitions of ‘consumer credit liability
information’ (see item 10), ‘credit worthiness’
(see item 29), ‘credit provider’ (see clause 6G) and
‘new arrangement information’ (see clause
6S).

Subclause
(1) states that ‘credit’ is a contract, arrangement or
understanding under which: payment of a debt owed by one person to
another person is deferred; or one person incurs a debt to another
person and defers the payment of the debt. In the absence of
a written agreement allowing deferral of the payment, the provision
of credit requires a mutual understanding between the individual
and the relevant entity that a credit contract, arrangement or
understanding has been entered into, and the terms of that
contract, arrangement or understanding. It may not be
sufficient that the individual has not paid the debt, and the
entity has failed to enforce payment of it. Whether an entity
has provided credit is a question of fact, and an assessment would
need to be made on a case by case basis.

Subclause
(3) provides certain examples of what satisfies the meaning of
‘credit’, without limiting the definition set out in
subclause (1).

Subclause
(2) states that the term ‘amount of credit’ refers to
the amount of the debt that is actually deferred, or may be
deferred, but does not include any fees or charges payable in
connection with the deferral of the debt.

Credit information is the basic category of personal
information in the credit reporting system. The term credit
information comprises a defined list of certain kinds of personal
information that are relevant to the purpose of the credit
reporting system. However, any information that would fall
within the definition of sensitive information in section 6(1) of
the Act is expressly excluded from credit information.

The following types of personal information included in the
definition of credit information are separately defined in section
6(1): 'consumer credit liability information' (see item 10 - this
type of information includes four of the five new types of personal
information that are permitted as part of the move to more
comprehensive credit reporting); 'court proceedings information'
(see item 12); and 'identification information' (see item
34). The following types of personal information are
separately defined in Division 2, which sets out key definitions
relating to credit reporting: 'default information' (see clause
6Q); 'information requests' (see clause 6R); 'new arrangement
information' (see clause 6S); 'payment information' (see clause
6T); 'personal insolvency information' (see clause 6U) and
'repayment history information' (see clause 6V - this type of
information is the fifth type of personal information that is
permitted as part of the move to more comprehensive credit
reporting).

The definition of credit information includes, at paragraph
(e), information about the type and amount of consumer or
commercial credit sought in an application made by an individual to
a credit provider (further description of what 'type' and 'amount'
mean is given in relation to item 10).

In addition, credit information includes two other kinds of
personal information: information about certain publicly available
information about the individual that relates to the
individual’s activities in Australia or the external
Territories and their credit worthiness; and information that is
the opinion of a credit provider that the individual has committed
a' serious credit infringement' (defined in section 6(1), see item
63).

The type of publicly available information that can be
included in an individual's credit information is limited by
paragraph (k). The publicly available information about the
individual must relate to the individual's activities in Australia
or the external Territories and the individual's credit
worthiness. This limitation ensures that information about an
individual's foreign activities is not included. In addition,
the information must relate to the individual's credit
worthiness. This is consistent with the purpose of the credit
reporting system. The other restriction set out in paragraph
(k) is that the information must not be court proceedings
information about the individual or information that is entered on
the National Personal Insolvency Index. Both of these types
of information are publicly available, but the inclusion of these
types of information about an individual are specifically dealt
with by paragraphs (i) and (j), and separately defined in section
6(1) and clause 6U respectively.

It
is expected that the registered CR code will provide further
explanation of the meaning of 'publicly available information' to
assist in understanding this term and the types of information to
which it applies. Whether information is
publically available information is a decision that must be made on
a case-by-case basis, taking into account all relevant
circumstances, such as the extent to which access to the
information is restricted in some way, for example by a
fee.

Clause
6P Meaning of credit
reporting business

This
provision inserts the meaning of credit reporting
business . The term ‘credit reporting
business’ is used in the definition of a ‘credit
reporting body’ (see item 26).

Subclause
(1) provides that a ‘credit reporting business’ is a
business or undertaking that involves collecting, holding, using or
disclosing personal information about individuals for the purpose
of, or for purposes including the purpose of, providing an entity
with information about the credit worthiness of an
individual. Subclause (2) makes clear that subclause (1)
applies whether or not the information is provided for profit or
reward, or provided, or intended to be provided, for the purposes
of assessing an application for consumer credit.

Subclause
(3) sets out an exception to subclause (1) where a credit provider
provides information about the credit worthiness of an individual
to a related body corporate (in addition, see paragraph 21G(3)(b),
which permits the disclosure of credit eligibility information to a
related body corporate).

Division 3
sets out ‘permitted CP disclosures’ under which a
credit provider is permitted to disclose credit eligibility
information, including, for example, to other credit providers with
the consent of the individual (see subclause 21J(1)). A
credit provider that makes a ‘permitted CP disclosure’
would not, as a result of making that specific permitted
disclosure, fall within the general definition set out in subclause
(1).

Subclause
(4) provides that regulations may exclude certain businesses or
undertakings from the definition of a credit reporting
business. A business or undertaking is not a credit reporting
business if it is included in a class of businesses or undertakings
prescribed by the regulations.

The
definition of a ‘credit reporting business’ does not
contain a dominant purpose test, which previously featured in the
former definition of this term that has been repealed (see item
27). Any business or undertaking that falls within the terms
of subclause (1) is regarded as a credit reporting business.
This does not require, for example, a consideration of whether the
activities of a credit reporting business are a large or small
component of the overall activities of the business or
undertaking. If the activities of the business or undertaking
involve collecting, holding, using or disclosing personal
information about individuals, either wholly or partly for the
purpose of providing an entity with information about an
individual’s credit worthiness, then the business or
undertaking is a credit reporting business. It is considered
appropriate that any business or undertaking that is performing
these activities should be subject to the obligations set out in
the credit reporting provisions. To the extent that the
business or undertaking does other activities that are not part of
its credit reporting business, the business or undertaking will be
subject to the APPs. In addition, a credit reporting body
that is a small business operator is excluded from the definition
of a small business operator and so will be subject to the APPs
(see item 26).

Clause
6Q Meaning of default
information

This
provision inserts the meaning of default information in
relation to consumer credit defaults and guarantor defaults.
‘Default information’ is a type of information that can
be included in an individual’s ‘credit
information’ (see clause 6N). The term is also used in
the definitions of ‘new arrangement information’ (see
clause 6S) and ‘payment information’ (see clause
6T). A credit provider can, subject to certain requirements,
disclose ‘default information’ as part of ‘credit
information’ to a credit reporting body (see paragraph
21D(3)(d)), and must disclose ‘payment information’ in
relation to default information it has disclosed to a credit
reporting body (see clause 21E). A credit provider can also
disclose certain default information to a debt collector (see
subclause 21M(2)).

Default
information that is included in an individual’s ‘credit
information’ can only be about ‘consumer credit’,
whether the individual is the borrower or the guarantor.

Subclause
(1) deals with defaults by an individual that has been provided
with consumer credit by a credit provider (that is, a
borrower). Default information about an individual is
information about a payment (which includes a payment that is
wholly or partly a payment of interest) that the individual is
overdue in making in relation to consumer credit provided to the
individual by the credit provider. In addition, the
individual must be at least 60 days overdue in making the payment,
and the provider must have given the individual a written notice
informing the individual of the overdue payment and requesting the
individual pay the amount of the overdue payment. However,
the overdue payment cannot be default information if the provider
is prevented by a statute of limitations from recovering the amount
of the overdue payment. In addition, the overdue payment must
be for an amount that is equal to or more than $100, or such other
higher amount that is prescribed by regulations. This amount
is based on balancing the need for credit providers to assess
adequately the credit risk of an individual against the
disproportionate consequences of listing less significant
debts. It is necessary for regulations to be able to
prescribe a higher amount in order for it to be changed from time
to time based on changing circumstances.

Subclause
(2) deals with defaults by an individual that is a guarantor in
relation to consumer credit provided to another individual by a
credit provider. Default information about an individual that
is a guarantor is information about a payment that the individual
is overdue in making as a guarantor in relation to a guarantee
given against any default by the borrower in repaying all or any of
the deft deferred under consumer credit provided by the provider to
the borrower. In addition, the provider must have given the
individual written notice of the borrower’s default that gave
rise to the obligation of the guarantor to make the overdue
payment, and the written notice must request that the individual
pay the amount of the overdue payment. At least 60 days must
have passed since the day on which the notice was given and the
provider must have taken other steps (in addition to giving the
notice to the guarantor) to recover the amount of the overdue
payment from the guarantor). The provider must also not be
prevented by a statute of limitations from recovering the amount of
the overdue payment from the guarantor.

If the
amount of the overdue payment is less than $100, or any such higher
amount prescribed by the regulations, the credit provider is not
able to include default information about that overdue amount in
the guarantor’s ‘credit information’ An overdue
payment of less than $100 or the prescribed amount is not a default
due to the operation of paragraph (1)(d). Subclause (2) only
operates where the guarantee relates to a default of the
borrower.

Clause 6Q
clearly excludes statute barred debts from the definition of
default information. This means that where the credit
provider is prevented by a statute of limitations from recovering
the amount of the overdue payment from the individual, the credit
provider cannot have that overdue payment included as default
information in the individual’s ‘credit
information’. Similarly, a credit provider is
prohibited from including default information in an
individual’s ‘credit information’ where the
individual was a guarantor against the default of another person
and the credit provider is prevented from a statute of limitations
from recovering the amount of the overdue payment from the
guarantor.

It is
expected that the registered CR code will provide guidance around
the operation of the definition, for example on such matters as the
timeframes for giving written notice to individuals.

Clause
6R Meaning of information
request

This
provision inserts the meaning of information request .
An ‘information request’ can be included in an
individual’s ‘credit information’ (see clause 6N)
and refers to a request for information about an individual made to
a credit reporting body. A credit reporting body can disclose
credit reporting information to a credit provider, mortgage insurer
or trade insurer in response to a request for information (see
clause 20F). A credit reporting body may retain an
information request about an individual for a specified period (see
clause 20W).

The
meaning of ‘information request’ varies depending on
whether the request for information is made by a credit provider,
mortgage insurer, or trade insurer. These differences reflect
the circumstances in which a credit reporting body is permitted to
disclose credit reporting information to these entities.

Subclause
(1) deals with an information request by a credit provider.
An information request refers to the circumstances when a credit
provider has sought information about an individual from a credit
reporting body in connection with an application for
‘consumer credit’ or ‘commercial credit’,
or for a ‘credit guarantee purpose’ of the provider, or
for a ‘securitisation related purpose’ of the
provider.

Subclause
(2) deals with an information request by a mortgage insurer.
An information request refers the circumstances when a mortgage
insurer has sought information about an individual from a credit
reporting body in connection with the provision of insurance to a
provider in relation to ‘mortgage credit’ provided to
the individual or a person for whom the individual is, or proposes
to be, a guarantor.

Subclause
(3) deals with an information request by a trade insurer. An
information request refers to the circumstances where a trade
insurer has sought information about an individual that from a
credit reporting body in connection with the provision of insurance
to a provider in relation to ‘commercial credit’
provided to the individual or another person.

Clause
6S Meaning of new
arrangement information

This
provision inserts the meaning of new arrangement information
in relation to consumer credit defaults and serious credit
infringements. ‘New arrangement information’ can
be included in an individual’s ‘credit
information’ (see clause 6N). A credit provider can
disclose ‘new arrangement information’ to a credit
reporting body as ‘credit information’ (see clause
21D). ‘New arrangement information’ about an
individual that is held or maintained by a credit reporting body is
subject to specific retention periods (see clause 20W).

Where an
individual is overdue in making payments in relation to consumer
credit a credit provider may choose to enter into a new arrangement
with the individual. Such a new arrangement only satisfies
the definition of ‘new arrangement information’ if the
credit provider has previously disclosed ‘default
information’ or a ‘serious credit infringement’
in relation to the individual’s overdue payments. The
new arrangement may either vary the original consumer credit
arrangements or provide the individual with new consumer credit
(either by the original credit provider or a different credit
provider) that relates, in whole or in part, to the previous
consumer credit. In some circumstances prior to a default,
the credit provider and the individual may agree on a hardship
arrangement, as provided for in the NCCP Act. Hardship
arrangements that satisfy the requirements of the NCCP Act are not
included within the meaning of ‘new arrangement
information’. Similarly, any new arrangement made in
relation to consumer credit where the credit provider has not
disclosed default information or a serious credit infringement in
relation to that consumer credit is not included in the meaning of
‘new arrangement information’. It is considered
that any such arrangements may appear to be too similar to hardship
arrangements to effectively distinguish between them, and increase
the risk that individuals may not seek hardship arrangements as
permitted in appropriate circumstances.

Once new
arrangement information has been included in an individual’s
credit information, the consumer credit to which that new
arrangement relates is treated in the same way as any other
consumer credit. This means that if, for example, the
individual defaults on the consumer credit provided as a result of
the new arrangement, that default can be disclosed as part of the
individual’s credit information. Where the new
arrangement has the effect of rendering the individual no longer
overdue in respect of their payments then the credit provider must
disclose the relevant ‘payment information’ in relation
to the previously reported default to the credit reporting
body. The question of whether the arrangement has the effect
of rendering the individual no longer overdue will depend on the
intention of the parties as indicated by the terms of the
arrangement and any other circumstances. It is expected that
the registered CR code will provide further guidance on when the
new arrangement has the effect of rendering the individual no
longer overdue in respect of their payments.

Subclause
(1) deals with ‘new arrangement information’ where a
credit provider has previously disclosed to a credit reporting body
‘default information’ about an individual that relates
to a payment the individual is overdue in making in relation to
consumer credit. Where, as a result of this occurring, the
provider has varied the terms and conditions of the original
consumer credit, or the provider or a different credit provider has
provided the individual with new consumer credit that relates,
wholly or in part, to the original amount of credit, then a
statement that this has occurred is new arrangement
information. Such as statement can then be included in the
individual’s ‘credit information’. An
arrangement would normally involve a significant variation of the
main elements of the contract such as the period of the loan, or
the size and frequency of repayments. On this basis, an
arrangement would not include, for example, a verbal agreement to
allow a one-off later payment. It is expected that the
registered CR code will provide further guidance on what new
arrangement fall within paragraph 6S(1)(c) for the purposes of
this provision.

Subclause
(2) deals with ‘new arrangement information’ where a
credit provider has previously disclosed to a credit reporting body
the provider’s opinion that the individual has committed a
‘serious credit infringement’ in relation to consumer
credit provided by the provider. Where, as a result of the
provider having that opinion, the provider has varied the terms and
conditions of the original consumer credit, or the provider or a
different credit provider has provided the individual with new
consumer credit that relates, wholly or in part, to the original
amount of credit, then a statement that this has occurred is new
arrangement information. Such as statement can then be
included in the individual’s ‘credit
information’.

Clause
6T Meaning of payment
information

This
provision inserts the meaning of payment information .
‘Payment information’ can be included in an
individual’s ‘credit information’ (see clause
6N). Where a credit provider has disclosed ‘default
information’ about an individual to a credit reporting body,
then the credit provider must disclose ‘payment
information’ that satisfies the terms of this definition to
the credit reporting body (see clause 21E). A credit provider
is prohibited from disclosing ‘default information’ to
a debt collector if the credit provider holds ‘payment
information’ (see clause 21M). ‘Payment
information’ about an individual that is held or maintained
by a credit reporting body is subject to specific retention periods
(see clause 20W).

Payment
information about an individual is a statement that the amount of
an overdue payment has been paid, specifying the day the payment
was made. Payment information must relate to default
information that a credit provider has disclosed about the
individual to a credit reporting body, and must refer to the
payment of the amount of the overdue payment, where the payment is
made on any day after the default information has been
disclosed.

A partial
payment of an overdue payment is not ‘payment
information’. When the overdue payment is wholly paid
(whether by a single payment or a series of payments) then the
‘payment information’ must be disclosed. It is
expected that the registered CR code will provide guidance on
payment information, such as how the accrual of fees on an overdue
payment is to be treated.

Clause
6U Meaning of personal
insolvency information

This
provision inserts the meaning of personal insolvency
information . ‘Personal insolvency
information’ can be included in an individual’s
‘credit information’ (see clause 6N) and may be
collected by a credit reporting body (consistent with the
requirements set out in clause 20C). ‘Personal
insolvency information’ about an individual that is held or
maintained by a credit reporting body is subject to specific
retention periods for different types of information included in
the definition of ‘personal insolvency information’
(see clause 20X). Disclosure by a credit provider of
‘personal insolvency information’ to a debt collector
is subject to specific conditions (see clause 21M).

Paragraph
(1)(a) provides that ‘personal insolvency information’
about an individual must be information that is entered or recorded
in the National Personal Insolvency Index. The Index is an
official source of personal insolvency information and also sets
out the different categories of personal insolvency permitted by
the Bankruptcy Act. Paragraph (1)(b) sets out the types of
personal insolvency information on the Index which are included in
the definition of ‘personal insolvency
information’.

Subclause
(2) provides that information which relates to certain matters is
excluded from the meaning of ‘personal insolvency
information’.

Only the
specified types of information on the National Personal Insolvency
Index set out in paragraph (b) (and subject to the exclusions in
subclause (2)) are permitted to be included as ‘personal
insolvency information’ for the purposes of an
individual’s ‘credit information’. Any
other personal information about an individual on the National
Personal Insolvency Index cannot be collected as ‘credit
information’. By providing specifically in paragraph
(b) for the personal information on the National Personal
Insolvency Index that can be included in personal insolvency
information, it is understood that any other information on the
Index that is not included in paragraph (b) could not be collected
as publicly available information.

Subclause
(3) recognises that the Bankruptcy Act sets out the meaning of
certain terms and ensures any terms used in paragraphs (1)(b) or
(2)(a) have the same meaning as they do in the Bankruptcy
Act.

Clause
6V Meaning of repayment
history information

This
provision inserts the meaning of repayment history
information . ‘Repayment history information’
can be included in an individual’s ‘credit
information’ (see clause 6N). The circumstances in
which a credit reporting body can collect or disclose
‘repayment history information’ are restricted (see
clauses 20C and 20E respectively) and the circumstances in which
this type of information can be disclosed by a credit provider are
also restricted (see clauses 21D and 21G). ‘Repayment
history information’ about an individual that is held or
maintained by a credit reporting body is subject to a specific
retention period (see clause 20W).

Repayment
history information is one of the five types of credit information
that are permitted to be included in the credit reporting system as
part of the move towards a more comprehensive credit reporting
system. The other four types of information that are
permitted to be included in the credit reporting system as part of
the move to a more comprehensive credit reporting are included in
the definition of ‘consumer credit liability
information’ (see item 10).

Application,
transitional and savings provisions are set out in schedule 6 of
the Bill. Part 3 of schedule 6 deals with the application of
the credit reporting provisions. Item 4(6) provides that the
definition of ‘repayment history information’ commences
on Royal Assent of the Bill. This means that, on commencement
of the Bill, repayment history information that is collected and
disclosed can relate to repayment history from the period between
Royal Assent and commencement. As clause 2 of the Bill
provides that the credit reporting provisions commence 9 months
after Royal Assent, this means that 9 months of repayment history
information may be collected or disclosed on commencement.
This is subject to the obligations set out in clause 6V and the
credit reporting provisions, as well as any obligations set out in
the regulations made pursuant to subclause (2) or contained in the
registered CR code.

Subclause
(1) provides that repayment history information about consumer
credit provided to an individual is information about whether or
not the individual has met an obligation to make a monthly payment
that is due and payable in relation to the consumer credit.
The information may also include the day on which the monthly
payment is due and payable and, if the payment is made after the
day on which the payment was due, the day on which the individual
makes the payment.

Subclause
(2) provides that the regulations may make provision in relation
to: whether or not an individual has met an obligation to make a
monthly payment; and whether or not a payment is a monthly
payment. It is anticipated that regulations will be made to
deal with these matters. In addition, it is expected that the
registered CR code will provide further guidance and set out
further requirements in relation to the elements of repayment
history information, including the calculation of monthly payments
and other related matters. This is expected to include
requirements and guidance dealing with how repayment history that
is subject to other periods of repayment (whether weekly,
fortnightly, or some other period of time) will be listed on a
monthly basis. In addition, the registered CR code may deal
with matters such as grace periods before listing repayment history
information and any other relevant matters.

Division 3
- Other matters

Item
70
Paragraphs 7(1)(a) and 8(1)(a)

These
paragraphs deal with certain acts and practices. This item
replaces the term ‘credit reporting agency’ with the
term ‘credit reporting body’ as this is the term that
is now being used.

Item
71
Sections 11A and 11B

This item
repeals sections 11A and 11B as the definitions of credit reporting
agencies and credit providers set out in these sections have now
been replaced.

Item
72 Part
IIIA

This
provision repeals Part IIIA and substitutes a new Part IIIA on
credit reporting.

Division 1
- Introduction

Clause
19 Guide to this
Part

This
provision is a guide to the Part.

Division 2
- Credit Reporting Bodies

Subdivision
A - Introduction and application of this Division
etc.

Clause
20 Guide to this
Division

This
provision is a guide to the Division.

Clause
20A Application of this Division and the
Australian Privacy Principles to credit reporting
bodies

This
provision states that the Division only applies to credit reporting
bodies in relation to their handling of credit reporting
information; CP derived information; de-identified information; and
pre-screening assessments.

This
provision defines the approach taken to the regulation of credit
reporting bodies. This Division provides a complete set of
rules that apply to credit reporting bodies in relation to these
categories of information. As the APPs don’t apply to
those categories of information it is necessary to ensure that the
rules for credit reporting bodies deal with all relevant matters
that would otherwise be covered by the APPs.

Credit
reporting bodies have obligations in relation to these four
categories of information. Most of the provisions in this
Division relate to the handling of credit reporting information,
which is defined to include both credit information and CRB derived
information. Specific provisions relate to pre-screening
assessments (clauses 20H and 20J) and credit reporting information
that has been de-identified (clause 20M). While a credit
reporting body may not hold CP derived information, clause 20T
imposes obligations on credit reporting bodies to provide
assistance to an individual who wishes to correct credit
information, CRB derived information, or CP derived information
about the individual. If the credit reporting body holds at
least one of these categories of information they have certain
correction obligations, and the ability to consult with another
credit reporting body or credit provider as required.

The
requirements set out in this Division apply to these categories of
information instead of the APPs - that is, the APPs do not
apply and are replaced by these requirements. The APPs do not
generally apply to de-identified information, which is why this
category of information is not included in subclause (2). The
reasons for regulating credit reporting information that has been
de-identified are set out in the discussion of clause
20M.

To the
extent that a credit reporting body handles any other personal
information, the handling of that personal information will be
regulated by the Australian Privacy Principles.

Subdivision
B - Consideration of information privacy

Clause
20B Open and transparent management of
credit reporting information

This
provision is based on the obligations set out in APP 1, modified to
apply specifically to credit reporting bodies and their handling of
credit reporting information.

Subclause
(1) states the object of the provision.

Subclause
(2) imposes a general requirement on credit reporting bodies to
take reasonable steps to implement practices, procedures and
systems in relation to their credit reporting business that will
ensure compliance with the requirements of the Division and the
registered CR code and to enable them to deal with inquiries or
complaints about their compliance. It is anticipated that
credit reporting bodies will demonstrate their compliance with this
obligation by, for example, developing and maintaining training
programs, staff manuals, standard procedures and any other relevant
documents that demonstrate awareness of, and compliance with, their
obligations under the Division and the registered CR code. In
addition, credit reporting bodies should be able to demonstrate
that their business systems, such as their data management systems,
comply with the requirements of the Division or the registered CR
code.

Subclause
(3) requires credit reporting bodies to have a policy dealing with
their management of credit reporting information. The policy
must be clearly expressed and up-to-date.

Subclause
(4) provides a list of matters on which the policy must contain
information. The list is not exhaustive and the policy can,
and should where necessary to satisfy the obligation set out in
subclause (3), contain additional information. The purpose of
the list is to provide guidance to credit reporting bodies on
information that the policy must contain which is likely to be
directly relevant to individuals and their concerns about the
information handling practices of credit reporting bodies. It
is not intended that the policy set out matters such as detailed
operational or administrative procedures or the processes of
internal data management systems, nor is it intended that the
policy establish technical data handling standards.

Subclause
(5) requires credit reporting bodies to take reasonable steps to
make the policy publicly available. Credit reporting bodies
must take reasonable steps to make the policy available free of
charge, and must make the policy available in an appropriate form
- for example, on the website’.

Subclause
(6) ensures that the policy is readily available to the
public. While a credit reporting body may decide to make the
policy available on their website, there may be circumstances where
a person or body may wish to have the policy in a particular form
- for example, in a different digital form that is more
accessible for readers with a disability, or as a printed
booklet. Following any such request, credit reporting bodies
must take reasonable steps to provide the person or body with a
copy of their policy in the requested form. It is expected
that a credit reporting body would not charge for
access.

Subdivision
C - Collection of credit information

Clause
20C Collection of solicited credit
information

This
provision is based on the obligations and structure of APP 3,
modified to apply specifically to credit reporting bodies and their
collection of credit information. The provision generally
prohibits the collection of solicited credit information by credit
reporting bodies, then sets out a series of exceptions to the
prohibition. The primary source from which credit information
is collected by credit reporting bodies is credit providers.
The disclosure of credit information by credit providers to a
credit reporting body is dealt with by clause 21D. However,
the exceptions to the general prohibition on collection by credit
reporting bodies set out other permitted circumstances in which
credit reporting bodies can collect solicited credit
information.

Taken
together, clauses 20C and 21D prescribe the means by which credit
information enters the credit reporting system. In the
context of considering the data flows in the credit reporting
system, these provisions deal with how credit information flows
into the system. As discussed above in definitions, credit
information comprises all of the basic data sets about the
individual which are permitted in the credit reporting system and
from which all other information in the system is wholly or partly
derived.

Subclause
(1) prohibits a credit reporting body from collecting credit
information about an individual. Breach of this prohibition
is subject to a civil penalty of 2000 penalty units.

Subclauses
(2) to (6) deal with the exceptions to the prohibition in subclause
(1).

Subclause
(2) provides a general exception to the prohibition where the
collection is required or authorised by or under an Australian law
or a court or tribunal order.

Subclause
(3) provides an exception for collection of credit information from
a credit provider. This provision provides a link to the
permitted disclosure by credit providers set out in clause
21D. However, the credit information can only be collected if
the collection is done in the course of carrying on a credit
reporting business. A credit reporting body is defined as
agency or organisation (which for these purposes includes a small
business) that carries on a credit reporting business. A
credit reporting business may have other lines of business.
This provision clarifies that credit information can only be
collected from a credit provider if it is for the credit reporting
business - this provision does not provide an exception to
the prohibition on the collection of credit information for any
other line of business that a credit reporting body may
conduct. Finally, a credit reporting body is only permitted
to collect identification information about an individual if it
also collects, or already holds, another kind of credit information
about the individual. The reference to credit information of
another kind refers to the definition of credit information, which
lists the kinds of information that can be collected. The
purpose of this limitation is to prevent credit reporting bodies
from compiling a data base that comprises identification
information about individuals without any associated credit
information. The purpose of the credit reporting system is
not to provide an identification data base of individuals in
Australia, but to assemble credit information which relates to the
credit worthiness of individuals, as these terms are
defined.

Subclause
(4) sets out the circumstances in which credit reporting bodies are
permitted to collect credit information from entities other than
credit providers. Some kinds of credit information (for
example, court proceedings information, personal insolvency
information, or publicly available information as described in the
definition of credit information) may be available from entities
other than credit providers and credit reporting bodies may wish to
collect these kinds of credit information from those sources.
In addition, there may be circumstances in which a credit provider
has assigned debts owing to the credit provider to another entity
that is not a credit provider, and a credit reporting body wishes
to collect relevant credit information from the entity. It
may also be the case that a credit reporting body wishes to make
arrangements to collect credit information from another credit
reporting body. Consistent with subclause (3), the collection
of this credit information must be in the course of carrying on a
credit reporting business.

Subclause
(4) goes on to set a number of limitations on the collection of
credit information from entities other than credit providers.
These limitations are consistent with the limitations imposed upon
the disclosure of credit information by credit providers in clause
21D. Because those entities which are not credit providers
are not directly regulated by the credit reporting provisions, the
only way in which the necessary limitations can be imposed on the
flow of credit information into the credit reporting system is to
restrict the collection of such information by credit reporting
bodies.

Accordingly,
the general restriction preventing the collection of credit
information about an individual who is under 18 years old is stated
in subclause (4)(a)(ii). In addition, subclause (4)(b) states
that the credit information cannot relate to any act, omission,
matter or thing that occurred or existed before the individual
turned 18. This is to prevent the back-capture of past
activity of an individual after they turn 18. In general
terms, information about any credit related activity undertaken by
a person before they turn 18 cannot be included in the credit
reporting system (unless permitted by the exceptions to this
general rule that follow). This means that, for example, an
individual who obtains credit, repays the loan as required, and
concludes the credit contract before they turn 18 will not have any
information about that credit contract included in the credit
reporting system. Similarly, if an individual defaults on
credit before they turn 18 the default cannot be subsequently
listed after the individual turns 18 if the credit has been
terminated or otherwise ceases to be in force. However,
subclause (5) states that the prohibition on collection of credit
information about an individual before they turned 18 does not
apply to identification information. This will allow, for
example, the collection of prior addresses as permitted in the
definition of identification information where the prior addresses
relate to a time before the individual turned 18. In
addition, subclause (6) states that the prohibition on collecting
credit information about an individual before they turned 18 does
not apply to consumer credit liability information that was entered
into before the individual turned 18, so long as the consumer
credit was not terminated or otherwise cease to be in force before
the individual turned 18. The purpose of this exception to
the general prohibition on collecting credit information about an
individual before they turned 18 is to recognise that consumer
credit liability information, as defined, includes information
about the day the consumer credit is entered into, and this
information, along with all the other consumer credit liability
information, can be provided into the credit reporting
system.

Subclause
(4) also sets out two additional limitations on the collection of
credit information by credit reporting bodies from entities other
than credit providers. Subclause (4)(c) states that, if the
information to be collected relates to consumer credit or
commercial credit, the credit must have been provided, or applied
for, in Australia. This is consistent with the general
objective that the credit reporting system is only intended to
provide information about credit in Australia, and should not
contain information about the credit activities of individuals
outside Australia. Subclause (4)(e) provides that repayment
history information can only be collected from an entity that is
not a credit provider where that entity is another Australian
credit reporting body.

Subclause
(7) states the general obligation, consistent with APP 3, that
credit reporting bodies must only collect credit information by
lawful and fair means.

Subclause
(8) states that this provision only applies to credit information
that is solicited by a credit reporting body. This is to
distinguish the provision from situations where unsolicited credit
information is received.

Clause
20D Collection of unsolicited credit
information

This
provision is based on the obligations and structure of APP 4,
modified to apply specifically to credit reporting bodies and
credit information.

Subclause
(1) states that the credit reporting body that receives unsolicited
credit information must determine whether the credit reporting body
could have collected the information under clause 20C if they had
solicited the information. Any use or disclosure for the
purposes of making this determination is permitted by subclause
(2). If the credit reporting body determines that it could
have collected the credit information, subclause (3) makes clear
that the obligations set out in clauses 20C to 20ZA apply to that
collection. Subclause (4) states that the unsolicited credit
information must be destroyed as soon as practicable if the credit
reporting body determines that it could not collect the credit
information, and imposes a civil penalty of 1000 penalty units for
failure to comply with this requirement. However, there may
be circumstances where the credit reporting body is required to
retain the unsolicited credit information by or under an Australian
law or a court or tribunal order. In these circumstances,
subclause (5) permits the retention of the information.

Subdivision
D - Dealing with credit reporting information
etc

The
provisions in Subdivision D relate to the next stage in the flow of
information in the credit reporting system. Clauses 20C and
20D in Subdivision C dealt with the collection of credit
information. Subdivision D now deals with credit reporting
information. As defined, credit reporting information
includes both credit information (collected by credit reporting
bodies under clauses 20C or 20D) as well as CRB derived information
about an individual. The provisions in the remainder of this
division apply to this broader category of credit reporting
information.

Clause
20E Use or disclosure of credit reporting
information

Clause 20E
sets out the general rules for the use or disclosure of credit
reporting information by credit reporting bodies. This
provision is based on the obligations and structure of APP 6, but
has been significantly modified to apply specifically to credit
reporting bodies and credit reporting information.

Subclause
(1) establishes a general prohibition on the use or disclosure of
credit reporting information about an individual by a credit
reporting body. Breach of this prohibition is subject to a
civil penalty of 2,000 penalty units. Subclauses (2) and (3)
provide exceptions for this general prohibition.

Subclause
(2) sets out the permitted uses, which are exceptions to the
prohibition on using credit reporting information in subclause
(1). A credit reporting body is generally permitted to use
credit reporting information in the course of carrying on its
credit reporting business. It is anticipated that this will
allow the use of credit reporting information for matters such as
data management, where this is done in the course of carrying on
the credit reporting business. This would not permit a credit
reporting body to use credit reporting information for any other
business venture. Unlike APP 6, no secondary uses of credit
reporting information by a credit reporting body are
permitted. Only those uses expressly provided in subclause
(2) and other provisions in this Division are permitted. In
addition to the uses permitted in subclause (2), the use of
pre-screening assessments is dealt with by clause 20H and the use
of de-identified credit reporting information is dealt with by
clause 20M.

Paragraphs
(2)(b) and (c) also permit a credit reporting body to use credit
reporting information if the use is required or authorised by or
under Australian law or a court or tribunal order, or the use is
prescribed in the regulations. For example, the use of credit
reporting information for certain identity verification purposes is
specifically authorised, and regulated by, the Anti-Money
Laundering and Counter Terrorism Financing Act 2006 . The
regulation-making power provides a means to permit any currently
unforeseen but necessary uses that may arise in the future.
Additional uses will be permitted where the use can be shown to be
in the public interest as well as being for the benefit of the
individuals whose credit reporting information would be used.
Appropriate public consultation with all relevant stakeholders
would be undertaken when considering whether regulations
prescribing any additional uses should be prepared.

Subclause
(3) sets out the permitted disclosures, which are exceptions to the
prohibition on disclosing credit reporting information in subclause
(1). Paragraph (3)(a) provides that a credit reporting body
does not breach this provision if the disclosure is a permitted CRB
disclosure in relation to the individual. Clause 20F sets out
a table of permitted CRB disclosures, which identifies to whom a
disclosure may be made and any related conditions around the
disclosure.

The
remaining paragraphs of subclause (3) set out specific permitted
disclosures. Paragraph (3)(b) permits disclosures of credit
reporting information to another Australian credit reporting
body. This is consistent with subclause 20C(4), which allows
the collection of credit information from entities other than
credit providers. Paragraph (3)(c) permits disclosures to
external dispute resolution schemes that have been recognised by
the Information Commissioner and a credit reporting body or credit
provider is a member of the scheme. This provision is
intended to ensure that external dispute resolution schemes can
access relevant credit reporting information, where appropriate, to
assist in the resolution of complaints made by individuals about
their personal information in the credit reporting system.
Paragraph (3)(d) permits disclosures to enforcement bodies in
relation to serious credit infringements (as defined). This
provision will assist enforcement bodies in the investigation of
alleged serious credit infringements. Paragraphs (3)(e) and
(f) also permit a credit reporting body to disclose credit
reporting information if the disclosure is required or authorised
by or under Australian law or a court or tribunal order, or the
disclosure is prescribed in the regulations. The
regulation-making power provides a means to permit any currently
unforeseen but necessary disclosures that may arise in the
future. As stated above in relation to the regulation-making
power for uses of credit reporting information, this power would be
exercised where the disclosure is in the public interest, for the
benefit of the individual, and following appropriate public
consultation.

Disclosures
under paragraphs (3)(a) (which permits the disclosures set out in
the table in clause 20F) and (3)(f) (which permits disclosures
under regulations, if any) are subject to an additional limitation
if the disclosure is credit reporting information that includes, or
was derived from, repayment history information. Subclause
(4) provides that such information can only be disclosed if the
credit provider to which it is being disclosed is a licensee
(defined to mean a licensee under the National Consumer Credit
Protection Act). This is intended to ensure that repayment
history information, or credit reporting information that is
derived from repayment history information, can only be disclosed
to credit providers who are subject to responsible lending
obligations under the National Consumer Credit Protection
Act. This restriction extends to credit reporting information
that was derived from repayment history information because it is
considered appropriate that credit providers who cannot access
repayment history information should not be able to indirectly
obtain the benefit of that information through the possibility that
credit reporting bodies could provide credit reporting information
that incorporates repayment history information in another
form. The civil penalty for breach of subclause (4) is 2,000
penalty units.

Subclause
(5) requires credit reporting bodies to make a written note of any
disclosure of credit reporting information under subclause
(3). Because subclause (3) includes disclosures which are
permitted CRB disclosures under clause 20F, this means that written
notes will need to be made of disclosures that fall within clause
20F. The purpose of requiring notes is to provide a record of
all disclosures. To be an effective record, the written note
should identify the date of the disclosure, the entity to which the
credit reporting information was disclosed, the type of disclosure
(including the specific provision under which the disclosure was
authorised), the type of credit reporting information that was
disclosed (where this is not clear from the type of disclosure),
and any other relevant information (for example, that an
individual’s express consent to a disclosure under item 2 of
the table at subclause 20F(1) was not in writing because of the
circumstances set out in subclause 20F(2)). In relation to
identifying the type of credit reporting information that was
disclosed, a reader of the note should be able to determine whether
all credit reporting information relating to the individual was
disclosed, and if not, what types of credit reporting information
were disclosed (for example, repayment history information).
Written notes should be sufficiently associated with the credit
reporting information of the relevant individual to ensure that
individuals are able to obtain access to all written notes relating
to their credit reporting information. Written notes do not
themselves fall within the definition of credit information or
credit reporting information, and so are not subject to the
specific retention rules set out in clause 20W. However, as
written notes would be personal information about an individual, a
credit reporting body will be subject to the general obligations
set out in the APPs in relation to the written notes of
disclosures. As mentioned in the note to this subclause,
other Acts provide that there are certain circumstances in which a
note about a disclosure must not be made and those other Acts
prevail over the obligation in this provision (which means
complying with those other Acts will not be a breach of this
provision). A breach of this provision attracts a civil
penalty of 500 penalty units.

Subclause
(6) provides that none of clause 20E applies to direct
marketing. The purpose of this provision is to ensure that
there is no inconsistency implied with clause 20G, which generally
prohibits the use of credit reporting information for direct
marketing.

Clause
20F Permitted CRB disclosures in relation
to individuals

This
provision sets out the permitted CRB disclosures that a credit
reporting body is authorised to make under paragraph
20E(3)(a).

Subclause
(1) states that a disclosure to an entity specified in the table is
permitted subject to the conditions set out in the table. The
table lists eight categories of permitted CRB disclosures.
The conditions of each category of permitted CRB disclosure are
intended to limit the disclosure to those circumstances that are
necessary to achieve the purpose of each permitted
disclosure.

The
permitted CRB disclosures set out in the table are those
disclosures which credit reporting bodies will most commonly
make. When considered in the context of the information flows
in the credit reporting system, this provision generally
establishes the circumstances in which credit providers will
receive information from the credit reporting system. At this
point, information is flowing out of the credit reporting system to
credit providers. Credit providers do not have continuous
access to credit reporting information. They can only obtain
credit reporting information where the conditions set out in the
table are satisfied.

The
recipients of the information nominated in the table are also
regulated in relation to the use that they can make of this
information. Each disclosure permitted by a credit reporting
body will subsequently be regulated as a use by the
recipient. The disclosures in the table to credit providers
are regulated as uses in clause 21H, while the disclosures to
mortgage insurers and trade insurers are regulated as uses by
clause 22C. Regulation of the credit reporting information in
the hands of the recipient ensures that the use of the information
is consistent with the purpose of the disclosure by the credit
reporting body under this provision.

A
disclosure under item 1 of the table to a credit provider is only
permitted if it is for a consumer credit related purpose in
relation to the individual about whom the credit reporting
information is requested. The term ‘consumer credit
related purpose’ is defined, and this means disclosure can
only occur if credit reporting information is necessary to assess
an application for consumer credit or to collect overdue payments
in relation to credit provided by the credit provider to the
individual.

A
disclosure under item 2 of the table to a credit provider is only
permitted for a commercial credit related purpose. This is a
defined term and means disclosure can only occur if it is for the
purpose of assessing an application for commercial credit or to
collect overdue payments in relation to commercial credit provided
to the individual. In addition, the disclosure can only occur
if the individual expressly consents to the disclosure of the
information to the provider for that purpose.
Subclause (2) states that, as a general rule, the express
consent of the individual must be given in writing. However,
where the individual has not made the application for commercial
credit to the credit provider in writing, it is not necessary for
the individual’s consent to be in writing. A
requirement for express consent is included because the credit
reporting system does not generally deal with commercial credit
matters. The definition of credit information only permits
very limited information about commercial credit to be included as
part of an individual’s credit information. It is
recognised that a credit provider may generally find an
individual’s credit information useful in assessing an
application for commercial credit. The requirement for
express written consent ensures that the individual is aware that
their credit information will be used for a non-consumer credit
purpose.

A
disclosure under item 3 of the table to a credit provider is only
permitted for a credit guarantee purpose in relation to the
individual, and the individual must expressly consent, in writing,
to the disclosure for that purpose. ‘Credit guarantee
purpose’ is a defined term, and means the purpose of
assessing whether to accept the individual as a guarantor in
relation to credit provided to, or applied for by, another
person. In this context, it is the individual who is
proposing to be the guarantor whose credit reporting information is
being released, and the proposed guarantor must expressly consent
to the disclosure in writing.

A
disclosure under item 4 of the table of an individual’s
credit reporting information to a credit provider is only permitted
if the credit reporting body is satisfied that a credit provider
believes on reasonable grounds that the individual has committed a
serious credit infringement (which is a defined term). The
credit provider must demonstrate reasonable grounds for this belief
to the credit reporting body to justify access under this
provision.

A
disclosure under item 5 of the table permits disclosure of credit
reporting information to a current credit provider of an
individual. A current credit provider is a credit provider
that holds credit liability information (a defined term) relating
to consumer credit provided to the individual and that consumer
credit has not been terminated or otherwise ceased to be in
force. This provision allows credit reporting bodies to
provide an individual’s credit providers with default
information (or where a payment of a default has occurred, payment
information) about the individual. This provision will also
allow credit reporting bodies to provide other relevant credit
reporting information. However, when read with item 5 in the
table at clause 21H, any credit reporting information disclosed
under this provision can only be used by the recipient credit
provider for the purpose of assisting the individual to avoid
defaulting on the individual’s consumer credit obligations to
that credit provider.

A
disclosure under item 6 of the table can be made to a
securitisation entity that is defined as a credit provider by
subclause 6J(1). Credit reporting information can be
disclosed to such a credit provider only where the provider
requests the information for a securitisation related purpose of
the credit provider in relation to the individual. A
securitisation related purpose is a defined term and refers to
assessing the risk of purchasing, by means of a securitisation
arrangement, credit that has been provided to the individual or to
a person to whom the individual is or proposes to be a
guarantor. The definition of the term also refers to
assessing the risk in undertaking credit enhancement in relation to
credit that has been provided to an individual (or a person to whom
the individual is or may be a guarantor) through a securitisation
arrangement.

A
disclosure under item 7 may be made to a mortgage insurer (a
defined term) where the credit reporting information is requested
by the mortgage insurer for a mortgage insurance purpose in
relation to the individual. The term ‘mortgage
insurance purpose’ is defined.

A
disclosure under item 8 may be made to a trade insurer (a defined
term) where the credit reporting information is requested by the
trade insurer for a trade insurance purpose (a defined term) in
relation to the individual. However, in addition the
individual must expressly consent in writing to the disclosure of
the credit reporting information to the trade insurer for that
purpose. This is consistent with the requirement for express
consent for disclosures that relate to the assessment of commercial
credit applications.

Clause
20G Use or disclosure of credit reporting
information for the purposes of direct marketing

This
provision generally prohibits the use or disclosure of credit
reporting information for direct marketing purposes, then deals
with pre-screening use and disclosures.

Subclause
(1) expressly prohibits the use or disclosure of credit reporting
information for the purposes of direct marketing. Breach of
this provision is subject to a civil penalty of 2000 penalty
units.

In general
terms, subclause (2) permits the use by credit reporting bodies of
credit information for pre-screening. Pre-screening is a
direct marketing process by which direct marketing credit offers to
individuals are screened against limited categories of credit
information about those individuals to remove individuals
from the direct marketing credit offer, based on criteria
established by the credit provider making the offer, before the
offers are sent. Generally, the process for pre-screening a
direct marketing credit offer works as follows. The credit
provider making the credit offer establishes the eligibility
requirements for the direct marketing credit offer and provides the
list of individuals about whom the pre-screening assessment will be
made; the credit reporting body undertakes the pre-screening
assessment and determines whether an individual is eligible
consistent with those criteria; the credit reporting body discloses
the pre-screening assessment to a mailing house which conducts the
direct marketing consistent with the pre-screening assessment, and
then the pre-screening assessment is destroyed by the credit
reporting body and the mailing house.

Subclause
(2) sets out the conditions under which pre-screening can
occur. The conditions are cumulative and all must be
satisfied for the pre-screening to occur. Paragraph (2)(a)
says that the credit provider who is doing the direct marketing
must be an Australian credit provider (that is, have an Australian
link as defined) and must be a licensee (that is, subject to
responsible lending obligations). Paragraph (2)(b) states
that the direct marketing must be about consumer credit that the
credit provider provides in Australia, to ensure that the overall
restriction on the use of the credit reporting system for
Australian consumer credit is maintained.

Paragraph
(2)(c) limits the categories of credit information that are
available for pre-screening by excluding consumer credit liability
information and repayment history information from use. As
the stated purpose of pre-screening is to remove individuals from
the direct marketing offer, it was considered that these two
categories provide too much positive information about an
individual’s credit arrangements and hence are unnecessary to
achieve the stated purpose of pre-screening. Limiting the
types of credit information that are available for use is privacy
enhancing.

Paragraph
(2)(d) states that the credit reporting body must use the available
credit information to assess whether or not the individual is
eligible to receive the direct marketing offer of the credit
provider. This must be read with subclause (3), which
requires the credit reporting body to have regard to the
eligibility requirements the credit provider nominates in relation
to the pre-screening of the direct marketing credit offer.
The assessment made by the credit reporting body under this
paragraph is called a ‘pre-screening assessment’.
The process set out in this paragraph means that the credit
provider itself does not receive any credit information in relation
to its credit offer, nor does the credit provider undertake the
pre-screening process itself. Pre-screening is conducted by
the credit reporting body on the instructions of the credit
provider.

Paragraph
(2)(e) states that credit information about an individual can only
be used for pre-screening where the individual has not made a
request under subclause (5), which allows individuals to
‘opt-out’ of pre-screening. Paragraph (2)(f)
requires the credit reporting body to comply with any additional
requirements set out in the registered CR code in relation to
pre-screening. It is expected that the registered CR code may
deal with matters such as requirements by credit reporting bodies
and recipients of pre-screening assessments to maintain audit
trails of pre-screening activity and other process related
matters. It is possible the entities that receive
pre-screening information to be bound by the CR code, as the
provisions in new Part IIIB on codes provide that the CR code may
bind any entity to which Part IIIA (the credit reporting
provisions) apply.

Subclause
(4) states that an assessment by a credit reporting body under
paragraph (2)(d) is not credit reporting information about this
individual. The assessment is called a ‘pre-screening
assessment’ and subject to the specific rules set out in
clauses 20H and 20J. As the assessment is not credit
reporting information, it cannot be maintained as part of the
individual’s credit reporting information and cannot be
disclosed, except as permitted by clause 20H.

Subclause
(5) provides the opportunity for individuals to opt-out of having
their credit information used for pre-screening of direct marketing
credit offers. At any time an individual can request a credit
reporting body that holds credit information about the individual
not to use the credit information for pre-screening under subclause
(2). Providing an opt-out option is consistent with the
approach taken in APP 7 on direct marketing. Paragraph
20B(4)(e) expressly requires credit reporting bodies to have
policies about the management of credit reporting information which
deal with pre-screening and how an individual may make an opt-out
request. A credit provider is required by clause 21C to
expressly notify the individual, at or before the time of
collection of personal information, the details of the credit
reporting bodies which the credit provider deals with and any other
matters specified in the registered CR code. It is expected
that these notification requirements and the credit reporting
body’s privacy policy will give the individual sufficient
opportunity to opt-out of any pre-screening of direct marketing
credit offers. In general, the limitations placed upon the
pre-screening process operate as privacy protections and, in the
circumstances, an opt-out rule is considered appropriate. In
the consumer credit regulatory environment, it appears that the
National Consumer Credit Protection (Home Loans and Credit
Cards) Act 2011 imposes an opt-in model for the receipt of
direct marketing of credit card limit increase invitations.
It appears that the opt-in approach is not used elsewhere in the
National Consumer Credit Protection Act and was chosen to address
particular concerns around the marketing of credit card limit
increases. While this approach was chosen in that particular
circumstance under that Act, the opt-out approach for pre-screening
is consistent with the privacy protections in place.

Subclause
(6) prohibits a credit reporting body from charging an individual
for making a request under subclause (5) or giving effect to the
request.

Subclause
(7) requires credit reporting bodies to make a written note of any
use of credit information under subclause (2) for
pre-screening. Written notes should be sufficiently
associated with the credit reporting information of the individual
to ensure that individuals are able to obtain access to all written
notes relating to their credit reporting information. Written
notes do not themselves fall within the definition of credit
information or credit reporting information, and so are not subject
to the specific retention rules set out in clause 20W.
However, as written notes would be personal information about an
individual, a credit reporting body will be subject to the general
obligations set out in the APPs in relation to the written notes of
disclosures. Breach of this obligation is subject to a civil
penalty of 500 penalty units.

Clause
20H Use or disclosure of pre-screening
assessments

This
provision deals with the use and disclosure of pre-screening
assessments, a defined term which refers to paragraph
20G(2)(d). This provision regulates the progression of the
pre-screening process from the screening stage (dealt with in
clause 20G) on to the process of issuing the screened direct
marketing credit offers, by controlling the handling of the
pre-screening assessment information. Information flows in
the pre-screening process are essentially one-way - the
credit provider is not given the results of the pre-screening
process (referred to as the ‘pre-screening assessment’
in the Bill) and so cannot determine which individuals may have
been excluded from the direct marketing credit offer as a result of
the assessment. This is to ensure that credit providers are
not able to target direct marketing to those people who they know
have been excluded from their direct marketing offer. The
purpose of pre-screening is purely to provide a process to remove
individuals from direct marketing offers, not to allow credit
providers to target identified individuals with direct marketing
offers.

Subclause
(1) generally prohibits the use or disclosure of a pre-screening
assessment made by a credit reporting body. Breach of this
provision is subject to a civil penalty of 2000 penalty
units.

Subclause
(2) provides an exception to the prohibition in subclause
(1). This provision permits the credit reporting body to
disclose, for the purposes of direct marketing, the pre-screening
assessment to an Australian entity (that is, an entity which has an
Australian link). However, the provision does not permit the
disclosure of the pre-screening assessment back to the credit
provider on whose behalf the assessment was made. The credit
provider does not have any access to the pre-screening
assessment. As the recipient of the assessment must be an
entity, they will be subject to the APPs as well as the specific
obligations set out in relation to pre-screening assessments.
The entity (usually a mailing house) undertakes the direct
marketing of the credit offer on behalf of the credit provider,
consistent with the pre-screening assessment.

Subclause
(3) requires the credit reporting body to make a written note of
any disclosure under subclause (2). As with other written
notes, the notes should be sufficiently associated with the credit
reporting information of the individual to ensure that individuals
are able to obtain access to all written notes relating to their
credit reporting information. Written notes do not themselves
fall within the definition of credit information or credit
reporting information, and so are not subject to the specific
retention rules set out in clause 20W. However, as written
notes would be personal information about an individual, a credit
reporting body will be subject to the general obligations set out
in the APPs in relation to the written notes of disclosures.
Breach of this obligation is subject to a civil penalty of 500
penalty units.

Subclause
(4) establishes a general prohibition to any use or disclosure of
the pre-screening assessment by the recipient of the assessment
under subclause (2). Breach of this provision is subject to a
civil penalty of 1000 penalty units.

Subclause
(5) operates as an exception to the prohibition in subclause
(4). This provision allows the recipient to use the
pre-screening assessment for the purpose of doing the direct
marketing by, or on behalf of, the credit provider.

Subclause
(6) requires the recipient to make a written note of any use under
subclause (5). It is expected that this written note would be
accessible to the individual through the access provisions in the
APPs. Breach of this obligation is subject to a civil penalty
of 500 penalty units.

Subclause
(7) makes clear that, if the recipient of the pre-screening
assessment is an APP entity, then APPs 6, 7 and 8 do not apply in
relation to the pre-screening assessment.

Clause
20J Destruction of pre-screening
assessment

This
provision deals with the destruction of pre-screening
assessments. Subclause (1) states that an entity (which
includes credit reporting bodies) that has possession or control of
a pre-screening assessment must destroy the assessment if it is no
longer needed for a purpose under clause 20H and the entity is not
required by or under an Australian law or court or tribunal order
to retain the assessment. The exception permitting retention
where it is required by or under Australian law is also appropriate
in these circumstances. Breach of this provision is subject
to a civil penalty of 1000 penalty units.

Subclause
(2) makes clear that, if the destruction obligation applies to an
APP entity that is not a credit reporting body, APP 11.2 does not
apply in relation to the pre-screening assessment. The
application of the APPs to credit reporting bodies in relation to
pre-screening assessments has already been addressed in clause
20A.

Clause
20K No use or disclosure of credit
reporting information during a ban period

This
provision provides a mechanism for individuals to deal with
potential fraud, including identity fraud, by controlling the
disclosure of their credit reporting information in certain
circumstances for the purpose of assessing applications for
credit. In general terms, where an individual has reasonable
grounds to believe that they have been, or are likely to be, the
victim of fraud, they can request a credit reporting body not to
use or disclose credit reporting information about the
individual. There are limited exceptions to this general
rule, and the provision also deals with the period of time for
which the request remains active, and how to extend that period of
time. The terms fraud and identity fraud are not
defined. Activities that constitute identify fraud may change
over time. Guidance on identity fraud may be available from
law enforcement and crime prevention agencies.

This
provision is linked to other provisions to provide a thorough
response to identity fraud issues. Destruction of credit
reporting information by the credit reporting body in cases of
fraud is dealt with by clause 20Y. Clause 21F deals with
credit providers and limits the disclosure of credit information to
credit reporting bodies during a ban period. Essentially, if
a credit provider is unable to obtain access to an
individual’s credit reporting information to assess an
application for credit due to a ban period but proceeds to provide
credit to a person purporting to be the individual, the credit
provider cannot list any of the information about that credit as
part of the individual’s credit information (unless, as
provided in the exception, the credit provider has taken reasonable
steps to verify the individual’s identity). This is
intended to ensure that credit providers take reasonable steps to
identify a person to whom they intend to provide credit during a
ban period.

It is
expected that further practical details around the operation of
this provision would be covered in the registered CR code.
Matters that may be covered include: notifying the individual of
the effect of the ban period and the circumstances in which the
individual should be notified that the ban period is ending; the
extension of the ban period; notification of credit providers of
the ban period; and other relevant matters.

Subclause
(1) states that, where a credit reporting body holds credit
reporting information about an individual, and the individual
believes of reasonable grounds that they have been, or are likely
to be, the victim of fraud (including identity fraud), then the
individual can request the credit reporting body not to use or
disclose their credit reporting information. Where this
request is made, then despite any other provision of this Division,
the credit reporting body must not use or disclose the credit
reporting information during what is known as the ban period (a
term that is further defined in subclauses (3) to (5)).
Breach of this provision is subject to a civil penalty of 2000
penalty units. The individual must believe on reasonable
grounds that they have been, or are likely to be, the victim of
fraud. It is expected that this would generally mean that an
individual who is able to explain why they believe they have been,
or are likely to be, the victim of fraud would satisfy this
requirement. Identity fraud can happen quickly and
consequences for a victim of identity fraud can be
significant. In this context, the purpose of this provision
is to allow an individual who has been, or is likely to be, the
victim of fraud to act quickly to try to ameliorate the risk of
suffering losses. It is not expected that an individual would
ordinarily need to, for example, present documentary evidence to
support their belief.

The
purpose of this provision is to limit the consequences of actual or
suspected fraud on the individual. However, credit reporting
bodies are not prevented from informing credit providers of the
fact that a ban period is in place in relation to an
individual’s credit reporting information. Informing
credit providers of the ban period may assist them in preventing
the perpetrator of the alleged fraud from causing further harm to
the individual or others. It is expected that further
procedural details around notification of credit providers of a ban
period will be set out in the registered CR code.

Subclause
(2) provides limited exceptions to the prohibition on use or
disclosure of the individual’s credit reporting information:
where the individual expressly consents, in writing to the use or
disclosure; or where the use or disclosure is required by or under
an Australian law or court or tribunal order (note that this
exception only operates where the use or disclosure is required and
does not operate in situations where the use or disclosure may
merely be authorised). Express consent by the individual in
writing is provided as an exception to ensure that the individual
is not adversely affected by the ban on the use or disclosure of
their credit reporting information. An individual who, for
example, had made, or was considering making, an application for
credit would be able to provide express consent for the credit
provider to obtain their credit reporting information from the
credit reporting body. The credit provider would also need to
take reasonable steps to identify the individual before relying on
the consent.

Subclause
(3) describes the operation of the ban period in relation to the
credit reporting information of an individual that has satisfied
subclause (1). The ban period starts when the individual
makes the request in paragraph (1)(c) and ends 21 days after the
day on which the request was made, or on the day after any
extension under subclause (4) ends.

Subclause
(4) permits the extension of the ban period after the initial 21
day period set out in subclause (3). The individual can,
before the ban period ends, request the credit reporting body to
extend the ban period. If an extension is requested, the
credit reporting body must believe on reasonable grounds that the
individual has been, or is likely to be, a victim of fraud.
If the body forms such a belief, the body must extend the ban
period by such period as it considers reasonable in the
circumstances and give the individual written notification of the
extension. Failure to comply with these requirements is
subject to a civil penalty of 1000 penalty units. The
difference from the initial request is that an extension can only
be made if the credit reporting body forms a belief on reasonable
grounds about the likelihood that the individual is, or may be, the
victim of fraud. A credit reporting body could ask the
individual to demonstrate the basis for their belief that they are,
or may be, the victim of fraud. This would depend on the
circumstances of each case, but would not necessarily require any
court based evidence (such as the arrest of a person who is alleged
to have committed the fraud). In some cases, the risk of
fraud may continue for a significant period and the credit
reporting body should make a judgement in the circumstances of the
appropriate period of time for the extension. It is not
intended that an individual would be placed under additional stress
by the imposition of short extension periods that have to be
regularly renewed if the circumstances do not warrant this
approach. In this context, the registered CR code may provide
more detail about the extension process.

Subclause
(5) permits a ban period to be extended more than once under
subclause (4).

Subclause
(6) states that an individual who requests a ban period under
paragraph (1)(c) or an extension of a ban period under paragraph
(4)(b) should not be charged by the credit reporting body for
making the request or giving effect to the request.

Clause
20L Adoption of government related
identifiers

This
provision is based on the obligations set out in APP 9(1), modified
to apply specifically to credit reporting bodies.

Subclause
(1) states that if a credit reporting body holds credit reporting
information about an individual and that information is also a
government related identifier of the individual, the credit
reporting body must not adopt it as its own identifier of the
individual. Breach of this provision is subject to a civil
penalty of 2000 penalty units.

Subclause
(2) provides an exception to the prohibition where the adoption of
a government related identifier is required or authorised by or
under an Australian law or a court or tribunal order.

Clause
20M Use or disclosure of credit reporting
information that is de-identified

This provision deals with the use and disclosure of credit
reporting information that has been de-identified for research
purposes in relation to the assessment of credit worthiness of
individuals. Generally, de-identified personal information is
not regulated. The purpose of regulating de-identified credit
reporting information is to clarify that such information can be
used or disclosed in specified circumstances. The use and
disclosure provisions for credit reporting agencies are
prescriptive and do not permit any secondary uses or disclosures of
credit reporting information. However, it appears that
information from the credit reporting system has in the past been
used for the purpose of conducting research (including statistical
modelling and data analysis) relating to the assessment or
management of credit. This research, where it is in the
public interest, should be expressly permitted. Conducting
research with de-identified personal information enhances privacy
protection and appears to be consistent with existing industry
practices. In addition, research is not a primary purpose of
the credit reporting system and it is not appropriate to allow
credit reporting information that identifies individuals to be used
for research purposes. However, there can be concerns about
the effectiveness of methods used to de-identify personal
information and the risks of that information subsequently being
linked again to individuals in a way that allows them to be
identified. To ensure that the proposed research is
consistent with these policy objectives and is appropriately
limited in scope, the research will only be permitted where it
complies with rules that the Commissioner may make about the use or
disclosure of de-identified credit reporting information for
research purposes. Permitting disclosure, as well as use, of
the de-identified information is necessary to ensure that the
credit reporting body can, for example, obtain expert assistance to
conduct the research or is able to make the research available to
credit providers, as well as other interested parties such as
consumer credit advocates and privacy advocates.

Subclause (1) sets out a general prohibition on the use or
disclosure of credit reporting information held by the credit
reporting body that has been de-identified. Subclause (2)
provides an exception to this prohibition where the use or
disclosure of the de-identified information is for the purposes of
conducting research in relation to the assessment of the credit
worthiness of individuals. In addition, the credit reporting
body must comply with rules made under subclause (3) by the
Commissioner. Subclause (3) states that the Commissioner may
make rules relating to the use or disclosure of de-identified
information for the purposes of conducting research in relation to
the assessment of the credit worthiness of individuals.
Subclause (4) lists certain matters that, without limiting
the Commissioner's power to make rules under subclause (3), the
rules may deal with. The list identifies matters that are
relevant to ensuring that the permitted research is for the general
benefit of the public and in the public interest.

Subdivision
E - Integrity of credit reporting
information

20N
Quality of credit reporting information

This provision is based on the obligations set out in APP 10,
modified, and with additional provisions, to apply specifically to
credit reporting bodies .

Subclause (1) provides that a credit reporting body must take such
steps as are reasonable in the circumstances to ensure that the
credit reporting information the body collects is accurate,
up-to-date and complete. Subclause (2) applies to the use or
disclosure of credit reporting information and includes an
additional requirement of relevance. The
requirement for information to be ‘complete’ does not
require credit reporting bodies to enter into agreements with
credit providers to ensure that all available credit information
about the individual is disclosed, or for credit providers to
disclose all available credit information to the body.
The credit reporting body must take such steps as are reasonable in
the circumstances to ensure that the credit reporting information
the body uses or discloses is, having regard to the purpose of the
use or disclosure, accurate, up-to-date, complete and
relevant. The additional requirement of relevance means that
the actual purpose of the use or disclosure must be
considered. As all uses and disclosures of credit reporting
information by credit reporting bodies are regulated by this
Division, this will require careful consideration of the relevant
provisions.

These provisions must be read in conjunction with the other
provisions in this Division. Other provisions impose various
restrictions on the collection, use and disclosure of some or all
types of credit reporting information. For example, repayment
history information is subject to specific restrictions to limit
collection, use and disclosure to situations where credit providers
are subject to responsible lending obligations by being licensees
(as defined). In these circumstances, the disclosure, for
example, of repayment history information will be restricted and
this will limit the general obligation to disclose complete credit
reporting information .

Subclause (3) sets out additional obligations imposed on credit
reporting bodies to ensure they take appropriate steps to maintain
the quality of credit reporting information. These
obligations, which do not limit the general obligations set out in
subclauses (1) and (2), require credit reporting bodies to enter
into agreements with credit providers to ensure that credit
information they disclose to the bodies is accurate, up-to-date and
complete; a monitoring obligation, in the form of a requirement to
ensure regular audits are conducted by an independent person to
determine whether the agreements are being complied with; and an
enforcement obligation, which requires bodies to identify and deal
with suspected breaches of the agreements. It is expected
that credit reporting bodies would have a range of enforcement
mechanisms available to deal with breaches of the agreement, up to
and including termination of the agreement with the credit
provider, removing the credit provider from the credit reporting
system. It is also expected that arrangements would be made
to ensure an effective dispute resolution process was in place to
deal with differences between bodies and credit providers in
relation to the enforcement of the agreements. The purpose of
these specific obligations is to ensure that both credit reporting
bodies and credit providers take proactive steps in establishing
practices which maintain the quality of credit information.
Given that credit reporting bodies will play a central role in
handling and managing credit information it is appropriate that
they be charged with the responsibility to develop appropriate
agreements. It is expected the registered CR code will
include further practical details and obligations around the
matters set out in subclause (3) to provide additional guidance to
credit reporting bodies and credit providers.

Clause
20P False or misleading credit reporting
information

This provision deals with using or disclosing false or misleading
credit reporting information. It provides both an offence
provision and a civil penalty provision to deal with this
conduct. While civil penalty provisions have generally been
used throughout the Bill to deal with situations in which breach of
a provision warrants the imposition of a penalty, some kinds of
conduct require the imposition of criminal penalties.
Providing for both a criminal offence and a civil penalty in this
provision gives the courts appropriate options to deal with the
behaviour, depending on the circumstances of each case.

Subclause (1) states that a credit reporting body commits an
offence if the body uses or discloses credit reporting information
under this Division and the information is false or misleading in a
material particular. Use or disclosure of unsolicited credit
reporting information under subclause 20D(2) or the use or
disclosure of information for consultation in response to an
individual's request to correct their credit information under
subclause 20T(4) are expressly excluded as these are circumstances
where the information may be false or misleading and the credit
reporting body either does not know, or is taking action to deal
with, the errors. The penalty for this offence is 200 penalty
units.

Subclause (2) sets out a civil penalty. A credit reporting
body must not use or disclose credit reporting information under
this Division if the information is false or misleading in a
material particular. Once again, any use or disclosure under
subclauses 20D(2) or 20T(4) is excluded from the civil
penalty. The civil penalty for breach of this provision is
2000 penalty units.

Clause
20Q Security of credit reporting
information

This provision is based on the obligations set out in APP 11,
modified, and with additional provisions, to apply specifically to
credit reporting bodies. The additional obligations imposed
on credit reporting bodies in this provision are based on the
additional obligations imposed on bodies by clause 20N to maintain
the quality of credit information .

Subclause (1) provides that a credit reporting body that holds
credit reporting information must take such steps as are reasonable
in the circumstances to protect the information from misuse,
interference and loss, and from unauthorised access, modification
or disclosure. These are fundamental obligations and no
exceptions are provided for these obligations.

Subclause (2) sets out additional obligations imposed on credit
reporting bodies to ensure they take appropriate steps to maintain
the security of credit reporting information. These
obligations, which do not limit the general obligations set out in
subclause (1), require credit reporting bodies to enter into
agreements with credit providers to ensure that credit providers
protect credit reporting information (that is, the category of
information that they receive from credit reporting bodies) from
misuse, interference and loss, and from unauthorised access,
modification or disclosure. This is followed by a monitoring
obligation, in the form of a requirement to ensure regular audits
are conducted by an independent person to determine whether the
agreements are being complied with, and an enforcement obligation,
which requires bodies to identify and deal with suspected breaches
of the agreements. It is expected that credit reporting
bodies would have a range of enforcement mechanisms available to
deal with breaches of the agreement, up to and including
termination of the agreement with the credit provider, removing the
credit provider from the credit reporting system. It is also
expected that arrangements would be made to ensure an effective
dispute resolution process was in place to deal with differences
between bodies and credit providers in relation to the enforcement
of the agreements. The purpose of these specific obligations
is to ensure that both credit reporting bodies and credit providers
take proactive steps in establishing practices which maintain the
security of credit information. Given that credit reporting
bodies will play a central role in handling and managing credit
information it is appropriate that they be charged with the
responsibility to develop appropriate agreements. It is
expected the registered CR code will include further practical
details and obligations around the matters set out in subclause (2)
to provide additional guidance to credit reporting bodies and
credit providers.

Subdivision
F - Access to, and correction of,
information

Clause
20R Access to credit reporting
information

This provision is based on the obligations set out in, and the
structure of, APP 12, modified to apply specifically to credit
reporting bodies. It is generally intended that access to
credit reporting information should occur on the same terms as
access to personal information held by an APP entity.

Subclause
(1) states the general obligation that if a credit reporting body
holds credit reporting information about an individual, the body
must, on request by an access seeker, give the access seeker access
to the information. The term access seeker is defined in
clause 6L. In this context an access seeker means the
individual to whom the credit reporting information relates, or a
person who is assisting the individual deal with the credit
reporting body, or an agent of the individual (that is, a person
who is authorised in writing by the individual for the purpose of
clause 20R, noting the exception provided for the National Relay
Service in the definition of ‘access seeker’).
The term is subject to certain exceptions set out in the
definition.

This
provision permits the individual to obtain access to their credit
reporting information. This includes both the credit
information about the individual and the CRB derived information
about the individual (for example, any credit scoring or analysis
about the individual). While the individual can obtain access
to the CRB derived information about them, this does not provide
them with a right to access the methodology, data analysis methods,
computer programs, or other information that the credit reporting
body may use to manage their credit reporting information or to
analyse their credit information to produce the CRB derived
information.

Subclause
(2) sets out exceptions to access. This list of exceptions
has been deliberately modified and reduced from the list of
exceptions set out in APP 12.3, on the basis that there is a
significant public interest in ensuring individuals have access to
their credit reporting information. These are the only
grounds on which access can be refused. This provision states
that the credit reporting body is not required to give access to
the credit reporting information to the extent that: giving access
would be unlawful (whether under the Privacy Act or another
enactment); denying access is required or authorised by or under an
Australian law or a court or tribunal order; or giving access would
be likely to prejudice one or more enforcement related activities
(a defined term - see schedule 1) by, or on behalf of, an
enforcement body (defined in the Act).

Subclause
(3) states that a credit reporting body must respond to the request
for access within a reasonable period, but not longer than 10 days,
after the request is made. It is considered that 10 days is a
sufficient maximum period to provide access to an
individual’s credit reporting information and it is expected
that reasonable access would ordinarily occur well within the 10
day period. The business of credit reporting bodies is
handling and managing credit reporting information about
individuals, so it is expected that bodies will have developed
efficient systems to provide ready access to individual’s
seeking their credit reporting information.

Subclause
(4) deals with the means of access. It states that, if a
credit reporting body gives access, the access must be given in the
manner set out in the registered CR code.

Subclauses
(5) and (6) deal with access charges and requires credit reporting
bodies to provide individuals with free access to their credit
reporting information once every 12 months, on request of the
access seeker. Subclause (5) states that the credit reporting
body must not charge an access seeker for making a request or for
access if a request has not been made to the body in the previous
12 months. Subclause (6) provides that, if subclause (5) does
not apply, any charge by the credit reporting body for giving
access must not be excessive and must not apply to the making of
the request. This is the same test that applies under APP
12.8.

It is
considered that credit reporting information is a particularly
significant kind of personal information. As credit reporting
information is used for matters relating to an individual’s
credit related activities where errors or omissions may have
significant consequences for the individual, it is essential that
the individual be able to obtain free access on a reasonably
regular basis. It is considered that free annual access
should generally be sufficient. However, there may be
circumstances where an individual requires more regular access in a
12 month period, for example where the individual is the victim of
fraud or identity fraud. Credit reporting bodies are not
required to charge in every instance after the first free access in
12 months and it is expected that bodies will be flexible in the
application of any charges for access.

Subclause
(7) sets out the process of providing notice to the access seeker
where access is refused. It provides that, where access is
refused because of subclause (2) (which sets out the only
exceptions to access), the credit reporting body must give the
access seeker a written notice that sets out the reasons for the
refusal. The obligation to provide reasons is limited to the
extent that it would be unreasonable to do so, having regard to the
grounds for the refusal. For example, where access to some of
an individual’s credit reporting information is refused
because it may prejudice an enforcement related activity, it may be
unreasonable to set out the details of the law enforcement activity
or even that the law enforcement activity has provided the basis
for restricting access to a part of the individual’s credit
reporting information.

Subclause
(7) goes on to provide that the written notice provided to the
access seeker must inform the access seeker that, if they are not
satisfied with the response to the request, they may access a
recognised external dispute resolution scheme of which the body is
a member (and provide contact details for that scheme) or make a
complaint to the Commissioner under Part V of the Act.

Clause
20S Correction of credit reporting
information

Clauses 20S, 20T and 20U are based on the obligations set out in
APP 13, modified, and with additional provisions, to apply
specifically to credit reporting bodies. Read together, these
three provisions set out a correction process that provides
individuals with specific rights and deal with matters that are
particularly important in the context of credit reporting, such as
providing evidence to substantiate disputed personal information in
the credit reporting system. Importantly, individuals are
able to request the correction of their personal information that
may not be held by the credit reporting body, requiring the credit
reporting body to consult with the appropriate credit reporting
body or credit provider. This imposes a specific obligation
on bodies and credit providers to assist individuals to correct
their personal information, no matter whom it is held by in the
credit reporting system. This means that the credit reporting
body or credit provider to which the individual first makes a
correction request must deal with that request and assist the
individual to have their personal information corrected. The
industry participants in the credit reporting system derive
significant benefits from the availability of information about
individuals in the system and it is considered appropriate that
they take on obligations to assist individuals to correct their
information. These provisions are mirrored by clauses 21U,
21V and 21W which impose similar obligations on credit
providers.

Clause 20S
sets out the general obligations on credit reporting bodies to
correct credit reporting information. The correction
obligation is expressly linked to the obligations on credit
reporting bodies to ensure the quality of the credit reporting
information they maintain. Subclause (1) provides that a
credit reporting body must take reasonable steps (if any) to
correct credit reporting information that is inaccurate,
out-of-date, incomplete, irrelevant or misleading. Correction
should take into account the purpose for which the information is
held. The purpose of holding information will depend on the
provisions of this Division and the definitions, and this will then
inform decisions about whether information may be inaccurate,
out-of-date, incomplete, irrelevant or misleading (note that if at
least one of these descriptions can be applied to an
individual’s credit reporting information it must be
corrected). For example, credit information may include an
individual’s current address and up to two previous addresses
in the previous five years, if any. Holding the previous
addresses does not mean that the credit reporting body has
out-of-date information. However, address information may
become out-of-date if, for example, the individual moves from their
current address and the credit reporting body is made aware of this
change, as the body will now be required to up-date the address
information.

Subclause
(2) states that a credit reporting body who has corrected credit
reporting information that has previously been disclosed under this
Division (with the exception of disclosure in relation to
unsolicited information under subclause 20D(2) and disclosure to
consult on a correction request under subclause 20T(4)) must,
within a reasonable period, give each recipient of the information
written notice of the correction. This obligation is to
ensure that other recipients are aware of the correction and can
take appropriate action to up-date their own records. As
recipients of an individual’s credit reporting information
may be making credit related decisions of significance for the
individual, it is important that any corrections are transmitted
quickly and efficiently. It is expected that the registered
CR code will deal with notification periods and
procedures.

Subclause
(3) provides that the obligation for written notice under subclause
(2) does not apply if it is impracticable for the credit reporting
body to give the notice or the credit reporting body is required by
or under an Australian law, or a court or tribunal order, not to
give the notice. It is expected that it would generally
always be practicable for a credit reporting body to give the
notice, as bodies must make written notes of any disclosures and
they will also have agreements in place with the recipients of the
information, for example to implement the requirements of
subclause 20Q(2) on security. However, there may be
circumstances where it is impracticable to provide the notice, for
example where a credit provider has ceased trading.

This
provision sets out the process by which an individual may request
the correction of certain personal information about them which is
held in the credit reporting system. An individual is able to
make a request for the correction of their information to a credit
reporting body and the body must, if it does not hold the
information or cannot be satisfied that the information should be
corrected, take steps to consult another body or a credit provider
to assist in resolving the individual’s request.

Subclause
(1) provides that an individual may request a credit reporting body
to correct specified kinds of personal information in the credit
reporting system if the body holds at least one of the specified
kinds of personal information. The personal information about
the individual that may be subject to a correction request may be
credit information, CRB derived information, or CP derived
information. While a credit reporting body will not hold CP
derived information, the provision permits an individual to make a
correction request about this kind of information to the
body.

Subclause
(2) states the obligation to correct the personal information if
the credit reporting body is satisfied that it is inaccurate,
out-of-date, incomplete, irrelevant or misleading. The
correction must be made within 30 days from the day the request is
made, or such longer time as the individual agrees in
writing. It is expected that the registered CR code will deal
in greater detail with the process around which extensions of time
to respond to correction requests are proposed to the
individual. However, it is generally expected that most
requests for correction should be resolved within the 30 days
specified in this provision. The period of 30 days has been
specified to provide adequate time for consultation to occur under
subclause (3), so the fact that consultation is required should not
in itself be grounds for a body to request that the individual
agree to a longer period for consideration of the correction
request. Where consultation is not required, it is expected
that the correction request would ordinarily be considered and
resolved well within the 30 days. The correction and
complaint processes have been streamlined so that an individual can
lodge a complaint with the Commissioner or a recognised external
dispute resolution service immediately upon receiving notice of a
refusal to make the requested correction under clause 20U.
Accordingly, it is considered that a maximum period of 30 days in
all but unusual cases should not present an unreasonable delay for
the individual to have their correction request considered and
resolved.

Where the
personal information is corrected by the credit provider after
consultation with another credit provider, then the notice
obligations set out in clause 21W will operate. Any
interested party consulted must be given notice of the
correction. Those interested parties would be required to
correct any personal information they hold or maintain to which the
notice of correction relates by the operation of clause 20S (for a
credit reporting body) or clause 21U (for a credit provider), which
requires bodies or providers to ensure certain personal information
they hold or maintain is not inaccurate, out-of-date, incomplete,
irrelevant or misleading.

Subclause
(3) deals with the process where the credit reporting body must
consult so that it can be satisfied of the matter raised in the
correction request. A credit reporting body may consult an
interested party, which is either or both of another credit
reporting body or a credit provider about the individual’s
request. However, the credit reporting body can only consult
an interested party that has an Australian link, consistent with
the limitation of the credit reporting system to
Australia.

Subclause
(4) authorises the use or disclosure of personal information about
the individual for the purposes of consultation under subclause
(3). As this information is being used or disclosed because
it may not be correct, exceptions exist in other provisions in
relation to quality obligations.

Subclause
(5) states that the credit reporting body must not charge the
individual for the making of the correction request or for
correcting the information.

Clause
20U Notice of correction etc must be
given

This
provision sets out the notice requirements that apply where the
credit reporting body corrects, or does not correct, an
individual’s personal information.

Subclause
(1) states that this provision applies if an individual requests a
credit reporting body to correct personal information under clause
20T.

Subclause
(2) deals with notice requirements where a credit reporting body
has corrected the individual’s personal information.
The credit reporting body must, within a reasonable time, give
written notice of the correction to the individual, to any
interested party that the body consulted about the
individual’s correction request, and, where the information
has been previously disclosed, to each recipient of the information
(except where the disclosures were in relation to unsolicited
information under subclause 20D(2) or the correction request under
subclause 20T(4) - in the latter case, anyone consulted must
in any event be given written notice). However, subclause (4)
states that notice of all recipients is not necessary if it is
impracticable for the credit reporting body to give the
notice. It is expected that it would generally always be
practicable for a credit reporting body to give the notice, as
bodies must make written notes of any disclosures and they will
also have agreements in place with the recipients of the
information, for example to implement the requirements of
subclause 20Q(2) on security. It may be impracticable to
give notice in situations where, for example, the recipient of the
information has ceased trading.

Subclause
(3) deals with notice requirements where a credit reporting body
does not correct the personal information as requested. The
credit reporting body must, within a reasonable time, give the
individual written notice: stating that the correction has not been
made; setting out the body’s reasons for not correcting the
information; and informing the individual that, if they are not
satisfied with the body’s response to the request, the
individual may access a recognised external dispute resolution
scheme of which the body is a member or make a complaint to the
Commissioner under Part V of the Act. When the body sets out
its reasons for not correcting the information, the body is
required to include evidence substantiating the correctness of the
information. The kind of evidence that might substantiate the
correctness of the information will depend on the circumstances and
the kind of credit reporting information that is the subject of the
correction request. For example, evidence to substantiate a
default listing should show that all the elements of the definition
of default have been satisfied, including evidence around the
timing the notice requirements, and other such matters. Given
that a default listing has a significant impact upon an
individual’s credit worthiness, information about the steps
taken by the credit provider to satisfy the requirements of the
default definition would be necessary, as well as other relevant
evidence. This substantiation requirement means that the onus
of proving the correctness of information that has been challenged
by an individual rests with the body (which, through the
consultation requirements in clause 20T, can obtain substantiation
evidence from another body or credit provider). It is
expected that this substantiation requirement will assist in
resolving disputes quickly and efficiently, because if evidence
substantiating the information cannot be produced it is very
unlikely that the body would not be satisfied that the information
should not be corrected as requested by the individual. In
such circumstances the general obligations to maintain accurate,
up-to-date and complete information will operate in support of the
obligations to correct the information.

Subclause
(5) sets a general exception to the notice obligations in
subclauses (2) and (3) if the credit reporting body is required by
or under an Australian law or a court or tribunal order not to give
the notice.

Clause
20V Destruction etc. of credit reporting
information after the retention period ends

Generally,
personal information should be destroyed if it is no longer
necessary for the purpose for which it was collected. The
very specific nature of the personal information in the credit
reporting system and the significant privacy sensitivities around
this personal information for individuals means that rules are
necessary to limit the retention of the information to specific
periods of time and to ensure the destruction, or
de-identification, of certain kinds of personal
information.

This
provision sets out the rules requiring the destruction of credit
reporting information after the retention period for the
information has ended. The retention periods are specified in
clauses 20W and 20X. There are different retention
periods for different kinds of credit reporting information.
The requirement to destroy information applies to the particular
information for which the retention period has ended. This
means that destruction obligations for different kinds of credit
reporting information of an individual will require continual
monitoring to ensure compliance with the destruction
obligations.

Subclause
(1) sets out the application rule for this provision. The
provision applies if the credit reporting body holds credit
reporting information about an individual and the retention period
ends. However, as indicated in the note, there is no
retention period for identification information or credit
information that as specified in paragraph 6N(k), which refers to
certain kinds of publicly available information.
Identification information is not subject to a specific retention
period because it is necessary to identify the individual in
relation to the other kinds of credit information. However,
where a credit reporting body is left with only identification
information about an individual because all other information has
been destroyed consistent with this provision, the credit reporting
body can no longer collect any updated identification information
under clause 20C. It is expected the remaining identification
information would be destroyed consistent with the obligations to
maintain up-to-date records.

Different
destruction rules apply to different credit information and CRB
derived information (which together make up the credit reporting
information). Where the retention period for credit
information has ended, subclause (2) requires the information to be
destroyed or de-identified within one month of the end of the
retention period. Failure to comply with this obligation is
subject to a civil penalty of 1000 penalty units. Subclause
(3) provides an exception to the destruction rule where,
immediately before the retention period ends, there is a pending
correction request or a pending dispute (under the complaints
arrangements in Division 5 or Part V of the Act) in relation to the
credit information. Failure to comply with these exceptions
is subject to a civil penalty of 500 penalty units. Subclause
(4) provides an exception from the destruction rule if the credit
reporting body is required by or under an Australian law or a court
or tribunal order to retain the information.

Subclause
(5) sets out the destruction rule for CRB derived
information. A credit reporting body must destroy, or
de-identify, any CRB derived information that was derived from the
individual’s credit information in the circumstances
described. Where the CRB derived information is derived from
two or more kinds of credit information, and at least one of those
kinds of credit information must be destroyed or de-identified
because the retention period has ended, then the CRB derived
information must also be destroyed or de-identified at the same
time. The effect of this rule is that the retention period
for CRB derived information will always be linked to the kind of
credit information that has the shortest retention period and which
was used to derive the CRB derived information. For example,
CRB derived information that is derived in part from repayment
history information will be subject to the two year retention
period for that kind of information, irrespective of whether the
other kinds of credit information also used to derive the CRB
derived information had longer retention periods. In all
other situations, paragraph (5)(b) provides that the CRB derived
information is destroyed or de-identified at the same time as the
credit information from which it is derived is destroyed or
de-identified. This rule applies to those situations where
the CRB derived information is derived form only one kind of credit
information. Failure to comply with any of the obligations in
this subclause is subject to a civil penalty of 1000 penalty
units.

Subclause
(6) provides an exception to the destruction rule for CRB derived
information where, immediately before the retention period ends,
there is a pending correction request or a pending dispute (under
the complaints arrangements in Division 5 or Part V of the Act) in
relation to the CRB derived information. Failure to comply
with these exceptions is subject to a civil penalty of 500 penalty
units. Subclause (7) provides an exception from the
destruction rule for CRB derived information if the credit
reporting body is required by or under an Australian law or a court
or tribunal order to retain the information.

Clause
20W Retention period for credit information
- general

Clause 20W
sets out the retention periods for credit information held by a
credit reporting body that is not personal insolvency information
(which is dealt with in clause 20X). The items in the table
describe the different kinds of credit information and the
retention period for that information. As noted above, no
retention period is specified for credit information that is
identification information about an individual or credit
information that is specified kinds of publicly available
information.

Item 1 of
the table sets the retention period for consumer credit liability
information, a defined term, at 2 years from the day on which the
consumer credit to which the information relates is terminated or
ceases to be in force. This means consumer credit liability
information can be retained for as long as the consumer credit to
which it relates continues to run, and then for two years after
that consumer credit has been terminated. In some
circumstances, depending on the type of credit, an individual may
have no further repayment obligations but the credit may remain
available for the individual to use at a later date. This
type of credit product would continue to be in force while credit
remains available, and the relevant consumer credit liability
information could continue to be held, until such time as the
credit product is clearly terminated by closing the credit product
so that credit is no longer available to the individual. At
that point the two year retention period would commence.

Item 2 of
the table sets the retention period for repayment history
information, a defined term, at 2 years from the monthly payment to
which the information relates is due and payable. This means
that there is a rolling two year retention period for repayment
history information. Information on any particular monthly
payment can be held for no more than two years.

Item 3 of
the table sets the retention period for information requests (as
described in paragraph 6N(d)) and the type and amount of
credit sought in an application (as described in paragraph 6N(e))
at 5 years from the day on which the information request to which
the information relates is made.

Item 4 of
the table sets the retention period for default information (a
defined term) at 5 years from the day that the credit reporting
body collects the information. It is necessary to link the
retention period to the collection by the body because there is no
other precisely defined date that is readily available to the
credit reporting body.

Item 5 of
the table sets the retention period for payment information (a
defined term) at 5 years from the day on which the default
information to which the payment relates is collected by the credit
reporting body. As the payment information directly relates
to the default its retention is linked to the default. It
would not be possible to allow retention for a longer period (for
example, retention for 5 years from the date of the payment) as
this would effectively provide notice of the existence of a prior
default even after the default itself could no longer be
retained.

Item 6 of
the table sets the retention period for new arrangement information
as defined in subclause 6S(1) at 2 years from the day that the
credit reporting body collects the default information to which the
new arrangement relates.

Item 7 of
the table sets the retention period for new arrangement information
as defined in subclause 6S(2) at 2 years from the day that the
credit reporting body collects the information about the opinion to
which the new arrangement information relates.

Item 8 of
the table sets the retention period for court proceedings
information at 5 years from the day judgement to which the
information is made or relates is made or given. Note that
the date of judgement may be earlier than the date that the
judgement is reported or reasons published.

Item 9 of
the table sets the retention period for information under paragraph
6N(l) that is an opinion of a credit provider that an individual
has committed a serious credit infringement (a defined term) at 7
years from the day the credit reporting body collects the
information.

Clause 20X
sets out the retention periods for credit information that is held
by a credit reporting body. The items in the table describe the
different kinds of personal insolvency information and the
retention period for that information. For each kind of
personal insolvency in the table two retention periods are given,
the first retention period counted from the start of the personal
insolvency (and in each case is 5 years) and the second retention
period counted from the end of the personal insolvency (and the
retention period varies depending on the type of personal
insolvency). In each case, the later of the two retention
periods is the operative period. The reason for including a
retention period for the end of each kind of personal insolvency is
to recognise the significant differences between the kinds of
personal insolvency arrangements. Depending on the kind of
arrangement that an individual has entered, they may have made
significant efforts to meet their obligations under the
arrangement, while other individuals may have made no
efforts. These differences should be recognised in
determining an individual’s credit worthiness. The
minimum period for the retention of any kind of personal insolvency
information will be 5 years, as it is considered that this is an
appropriate period to provide information to credit providers to
allow then to assess credit risk but to then allow individuals to
have the opportunity of a fresh start to their financial affairs at
the end of this period. However, the operation of the
retention periods means that in appropriate cases the personal
insolvency information may be retained for a longer period
depending on the retention period permitted at the end of each kind
of personal insolvency.

Item 1 of
the table sets the retention period for information about the
bankruptcy of an individual at the later of 5 years from the day
the individual becomes bankrupt, or 2 years from the day the
bankruptcy ends.

Item 2 of
the table sets the retention period for information about a
personal insolvency agreement (other than an agreement covered by
item 3 of the table) at the later of 5 years from the day on which
the agreement is executed, or 2 years from the day the agreement is
terminated or set aside.

Item 3 of
the table sets the retention period for information about a
personal insolvency agreement in relation to which a certificate
has been signed under section 232 of the Bankruptcy Act at the
later of 5 years from the day on which the agreement is executed,
the day on which the certificate is signed.

Item 4 of
the table sets the retention period for information about a debt
agreement (other than an agreement covered by item 5 of the table)
at the later of 5 years from the day the agreement starts, or 2
years from the day the agreement is terminated, or the whole
agreement is declared void, under the Bankruptcy Act.

Item 5 of
the table sets the retention period for information about a debt
agreement that ends under section 185N of the Bankruptcy Act at the
later of 5 years from the day the agreement starts, or the day on
which the agreement ends.

Subclause
(2) provides special rules for the retention of information of debt
agreement proposals under the Bankruptcy Act. Special
retention rules are required because proposals are not yet debt
agreements and there are various things that may happen to
proposals under the Bankruptcy Act. As soon as one of the
things happens in relation to the debt agreement proposal as
specified in paragraphs (a) to (d) the retention period
ends.

Subclause
(3) provides a special rule for the retention of personal
insolvency information relating to a direction given, or an order
made, under section 50 of the Bankruptcy Act, which deals with the
control of certain property. The retention period ends on the
day the control of the property to which the direction or order
relates ends.

Subclause
(4) provides a special rule for the retention of personal
insolvency information that relates to an authority signed under
section 188 of the Bankruptcy Act. The retention ends on the
day on which the property to which the authority relates in no
longer subject to control under Division 2, Part X of that
Act.

Subclause
(5) states an interpretation rule, which ensures that expressions
used in this provision and in the Bankruptcy Act have the meaning
set out in that Act.

Clause 20Y
sets out a special destruction rule for information in cases of
fraud. Clause 20K provides rules dealing with the use or
disclosure of credit reporting information where an individual has
been, or is likely to be, the victim of fraud. In cases where
the individual has been the victim of fraud and consumer credit was
provided to someone other than the individual, the individual
should not continue to have information about that fraudulently
obtained consumer credit maintained as part of their credit
reporting information. However, as the information is about
consumer credit that was supplied to someone purporting to be the
individual, there may be uncertainty around how to deal with this
information in the context of the rules set out in clauses 20N
(about the quality of credit reporting information) and 20P
(prohibiting the maintenance of false or misleading credit
reporting information). This provision sets out special rules
to deal with this situation.

Subclause
(1) sets out the circumstances under which this provision
applies. The credit reporting body must hold credit reporting
information about an individual. The information must relate
to consumer credit that has been provided by a credit provider to
the individual, or a person purporting to be the individual.
Finally, the body must be satisfied that the individual has
been a victim of fraud and that the consumer credit was provided as
a result of that fraud. While it is for the body to be
satisfied of these matters, the evidence necessary to satisfy the
body of these matters should be appropriate in the
circumstances. For example, it is not expected that
court-based evidence would be necessary in every case before the
body was satisfied of these matters. The appropriate evidence
will depend on the circumstances of the fraud.

Where the
requirements of subclause (1) have been satisfied, subclause (2)
provides that the credit reporting body must destroy the credit
reporting information. Within a reasonable period of time
after the information is destroyed, the body must also give the
individual a written notice stating that the information has been
destroyed and informing the individual that any third parties which
received the information will be notified of the
information’s destruction (as required by
subclause (4)). The body must also give the credit
provider that provided the consumer credit as a result of the fraud
a written notice stating that the information has been
destroyed. Breach of this provision is subject to a civil
penalty of 1000 penalty units.

Subclause
(3) sets out an exception to the destruction requirement in
subclause (2). The requirements of subclause (2) do not apply
if the credit reporting body is required by or under an Australian
law or a court or tribunal order to retain the credit reporting
information.

Subclause
(4) sets out notice obligations about the destruction of the
information to third parties. Where information has been
destroyed under subclause (2), and the credit reporting body has
previously disclosed the information to one or more recipients
under Subdivision D of this Division, the body must within a
reasonable period after the destruction notify those recipients of
the destruction and that the body is satisfied the individual was a
victim of fraud the consumer credit was provided as a result of
that fraud. This is a general obligation to notify all
recipients and the individual does not need to request notification
of third parties. Breach of this provision is subject to a civil
penalty of 500 penalty units. Credit reporting bodies will
have retained written notes of any disclosures of the information,
as required by various provisions in Subdivision D, which will
assist them to comply with this obligation. Given the
significance of credit reporting information to individuals and
that decisions about an individual’s credit worthiness may be
made based on that information in the future, it is important that
notification of all previous recipients occurs so that they can
satisfy their obligations to maintain the quality of the credit
reporting information that they hold.

Subclause
(5) provides an exception to subclause (4). The requirements
of subclause (4) do not apply if the credit reporting body is
required by or under an Australian law or a court or tribunal order
not to give the notification.

Clause
20Z Dealing with information if there is a
pending correction request etc

Clause 20Z
sets out rules to deal with situations where there is a pending
correction request or a pending dispute in relation to credit
reporting information that may otherwise be subject to destruction
under clause 20V. In these circumstances it would not be
appropriate to destroy the information. However, given that
the retention would, but for the operation of these exceptions, be
contrary to the destruction obligations, it is important that the
Commissioner be informed of the situation and have the opportunity
to issue directions about what must be done with the
information. There is no similar provision for credit
providers because they do not have any specific destruction
obligations like those set out in clause 20V for credit reporting
bodies.

Subclause
(1) sets out the application of the provision. The credit
reporting body must hold credit reporting information about the
individual and either subclause 20V(3) or 20V(6) must apply in
relation to the information. Subclause (2) requires the
credit reporting body to notify the Commissioner as soon as
practicable of this situation. Breach of this notification
requirement is subject to a civil penalty of 1000 penalty
units. Subclause (3) prohibits any use of disclosure of this
information, breach of which is subject to a civil penalty of 2000
penalty units. However, subclause (4) permits use or
disclosure of the information if it is for the purposes of the
pending correction request, or pending dispute, in relation to the
information. Use or disclosure if the information is also
permitted if the use or disclosure is required by or under an
Australian law or court or tribunal order. If any use or
disclosure occurs under subclause (4), then subclause (5) requires
a written note to be made of that use or disclosure, subject to a
civil penalty of 500 penalty units. This is consistent with
the general approach of requiring credit reporting bodies to make
written notes of any uses or disclosures of credit reporting
information.

Subclause
(6) gives the Commissioner the power to direct, by legislative
instrument, that the credit reporting body destroy the information,
or ensure it is de-identified, by a specified day. This power
may be exercised by the Commissioner in appropriate circumstances
to resolve the issue of whether the information should be destroyed
or retained. For example, in some instances an individual may
agree to the destruction of the information without resolving their
correction request on the basis that the information will no longer
appear as part of their credit reporting information or have any
impact upon decisions about their current or future credit
worthiness. Subclause (7) states that a credit reporting body
must comply with a direction by the Commissioner given under
subclause (6), and failure to do so is subject to a civil penalty
of 1000 penalty units.

Subclause
(8) clarifies the relationship of this provision to clause 20M,
which deals with the use and disclosure of de-identified credit
reporting information. If a credit reporting body is directed
by the Commissioner to de-identify the credit reporting information
under subclause (6) then clause 20M will apply to that
de-identified information.

Clause
20ZA Dealing with information if an Australian law etc
requires it to be retained

Clauses
20V and 20Y provide that credit reporting bodies must not deal with
information in the ways otherwise specified in those provisions if
they are required by or under an Australian law or a court or
tribunal order not to so deal with the information.
Accordingly, clause 20ZA provides rules for how credit reporting
bodies are to deal with any information that is subject to these
directions by another Australian law or court or tribunal
order.

Subclause
(1) sets out the application of the provision. This provision
applies if a credit reporting body is not required to: destroy or
de-identify credit information under subclause 20V(2) because of
subclause 20V(4); destroy or de-identify any CRB derived
information under subclause 20V(5) because of subclause 20V(7); or
destroy credit reporting information under subclause 20Y(2) because
of subclause 20Y(3).

If
subclause (1) applies, subclause (2) states that the credit
reporting body must not use or disclosure the information, breach
of which is subject to a civil penalty of 2000 penalty units.
Subclause (3) provides an exception from this general rule to
permit any use or disclosure that is required by or under an
Australian law or a court or tribunal order. Subclause (4)
requires the body to make a written note of any such use or
disclosure, consistent with the general policy of requiring bodies
to note uses or disclosures. This is subject to a civil
penalty of 500 penalty units.

Subclause
(5) states that the obligations in relation to the integrity of
information set out in Subdivision E (with one exception) do not
apply in relation to the use or disclosure of the
information. However, the security obligations in clause 20Q
continue to apply. Subclause (6) states that the access and
correction obligations set out in Subdivision F do not apply in
relation to the information. The purpose of these provisions
is to clarify the application of these obligations to this
information. If another Australian law or court or tribunal
order requires the credit reporting body to do, or not do, certain
things in relation to the information, it would be inappropriate to
apply the full set of obligations to this information.

Division 3
- Credit providers

Subdivision
A - Introduction and application of this
Division

Clause
21 Guide to this
Division

This
provision provides a guide to the Division.

Clause
21A Application of this Division to credit
providers

Clause 21A
states that the Division only applies to credit providers in
relation to: credit information; credit eligibility information;
and CRB derived information.

Credit
reporting information that is disclosed by credit reporting bodies
to credit providers becomes credit eligibility information (which
also includes CP derived information) in the hands of credit
providers. For this reason credit providers are regulated in
relation to credit eligibility information, rather than credit
reporting information. Credit information is also regulated
because credit providers have a dual role of both supplying credit
information into, and collecting credit reporting information from,
the credit reporting system.

This
Division provides requirements that apply to credit providers in
relation to these categories of information. While the APPs
are completely replaced by the obligations for credit reporting
bodies in Division 2, a different approach is taken for credit
providers. The requirements for credit providers set out in
Division 3 may apply in addition to the APPs (where a credit
provider is an APP entity). Where any provision in this
Division modifies or replaces an APP the relationship with the
relevant APP will be made expressly clear in that provision.
Other provisions impose obligations that do not directly relate to
the APPs and so are additional to the APP obligations. Where
an APP is not referred to in this Division then that APP will
continue to apply to any information regulated by this Division and
to credit providers that are APP entities in relation to that
information. For example, this Division does not specifically
regulate the collection of the kinds of personal information that
are included in the definition of credit information. This
means that APP 3 (dealing with the collection of solicited
information) and APP 4 (dealing with the collection of unsolicited
information) apply as appropriate and without modification to
credit providers that are APP entities.

Credit
providers have obligations in relation to these three categories of
information. While a credit provider may not hold CRB derived
information, clause 21V imposes obligations on credit providers to
provide assistance to an individual who wishes to correct credit
information, CRB derived information, or CP derived information
about the individual. If the credit provider holds at least
one of these categories of information they have certain correction
obligations, and the ability to consult with another credit
reporting body or credit provider as required.

To the
extent that a credit provider handles any other personal
information, the APPs will regulate the handling of that personal
information by credit providers that are APP entities.

Subdivision
B - Consideration of information privacy

Clause
21B Open and transparent management of
credit information etc.

Clause 21B
is based on the obligations set out in APP 1, modified to apply
specifically to credit providers and their handling of credit
information and credit eligibility information. The
interaction of this provision with APP 1 is dealt with in subclause
(7).

Subclause
(1) states the object of the provision.

Subclause
(2) imposes a general requirement on credit providers to take
reasonable steps to implement practices, procedures and systems in
relation to their functions or activities as a credit provider that
will ensure compliance with: the requirements of the Division and
the registered CR code; and to enable them to deal with inquiries
or complaints about their compliance. It is anticipated that
credit providers will demonstrate their compliance with this
obligation by, for example, developing and maintaining training
programs, staff manuals, standard procedures and any other relevant
documents that demonstrate awareness of, and compliance with, their
obligations under the Division and the registered CR code. In
addition, credit providers should be able to demonstrate that their
business systems, such as their data management systems, comply
with the requirements of the Division or the registered CR
code.

Subclause
(3) requires credit providers to have a policy dealing with their
management of credit information and credit eligibility
information. The policy must be clearly expressed and
up-to-date.

Subclause
(4) provides a list of matters on which the policy must contain
information. The list is not exhaustive and the policy can,
and should where necessary to satisfy the obligation set out in
subclause (3), contain additional information. The purpose of
the list is to provide guidance to credit providers on information
that the policy must contain which is likely to be directly
relevant to individuals and their concerns about the information
handling practices of credit providers. It is not intended
that the policy set out matters such as detailed operational or
administrative procedures or the processes of internal data
management systems, nor is it intended that the policy establish
technical data handling standards.

Subclause
(5) requires credit providers to take reasonable steps to make the
policy publicly available. Credit reporting bodies must take
reasonable steps to make the policy available free of charge, and
must make the policy available in an appropriate form - for
example, on the website’.

Subclause
(6) ensures that the policy is readily available to the
public. While a credit provider may decide to make the policy
available on their website, there may be circumstances where a
person or body may wish to have the policy in a particular form
- for example, in a different digital form that is more
accessible for readers with a disability, or as a printed
booklet. Following any such request, credit providers must
take reasonable steps to provide the person or body with a copy of
their policy in the requested form. It is expected that
credit providers would not charge for making the policy available
in the requested form.

Subclause
(7) deals with the interaction of this provision with the
APPs. It makes clear that APPs 1.3 and 1.4 (which deal with
privacy policies) do not apply to the credit provider in relation
to credit information or credit eligibility information.
However, the APPs will continue to apply to the credit provider in
relation to any other personal information.

Subdivision
C - Dealing with credit information

Subdivision
C sets out rules for credit providers in relation to credit
information. This is the information that credit providers
disclose to credit reporting bodies into the credit
reporting system. Rules to deal with information that credit
providers collect from the credit reporting system are set
out in Subdivision D.

Clause 21C
sets out additional notification requirements for credit providers
when they collect personal information that may be disclosed to a
credit reporting body (only that personal information which falls
within the definition of credit information may be
disclosed). Credit providers must notify individuals about
certain matters to whom they are likely to disclose information,
and credit providers that are APP entities must also notify
individuals of certain matters in relation to the credit
provider’s credit reporting privacy policy. The
interaction of this provision with APP 5 is dealt with in subclause
(2).

Subclause
(1) applies where a credit provider collects personal information
about an individual that is likely to be disclosed to a credit
reporting body. At or before the time of collection the
credit provider must notify the individual of the name and contact
details of the credit reporting body (or bodies, if the information
may be disclosed to more than one body) and any other matters
specified in the registered CR code. Alternatively, rather
than notifying the individual, the credit provider must otherwise
ensure that the individual is aware of the matters specified.
Depending on the circumstances, other approaches may be more
appropriate to inform the individual of this information, for
example where the credit provider arranges for a third party to
notify the individual. Irrespective of the method used, the
individual must be informed of these matters and it is expected
that the information about the credit reporting body or bodies
would subsequently be readily accessible to the individual for
their reference. It is intended that the registered CR code
would include requirements to inform individuals of how their
personal information will be handled in the credit reporting
system. This should include providing information that either
includes, or allows the individual to readily access, the privacy
policies of credit reporting bodies. As required by clause
20B, the privacy policies of credit reporting bodies must include
various matters that are of significance to individuals, including
information about access, correction and complaints. Other
matters may also be addressed in the registered CR code.

Subclause
(2) deals with the interaction of this provision with the
APPs. The obligations set out in subclause (1) apply in
addition to the obligations imposed on a credit provider that is an
APP entity by APP 5.

The credit
provider must have a credit reporting privacy policy, as required
by clause 21B. Subclause (3) sets out matters contained
in the credit reporting privacy policy about which the credit
provider must notify the individual or otherwise bring to the
individual’s attention. This specific notification
requirement is to be read with the obligations imposed on a credit
provider that is an APP entity by APP 5.

Clause 21D
controls the flow of credit information into the credit reporting
system by regulating the disclosure of credit information by the
credit provider to a credit reporting body. As part of this
regulation the provision restrict the credit reporting system to
Australian participants and to credit provided, or applied for, in
Australia.

Subclause
(1) establishes a general prohibition on disclosure by a credit
provider of credit information about an individual to a credit
reporting body. This prohibition operates irrespective of
whether or not the credit reporting body carries on a credit
reporting business in Australia. This means that disclosure
of credit information to a foreign credit reporting body is
prohibited. Breach of this provision is subject to a civil
penalty of 2000 penalty units.

Subclause
(2) provides an exception to the general prohibition in subclause
(1) by permitting disclosures by certain credit providers to
certain credit reporting bodies. Before any disclosure can
occur, the credit provider must be a member of a ‘recognised
external dispute resolution scheme’ and must know, or believe
on reasonable grounds, that the individual about whom credit
information is to be disclosed is at least 18 years old.
Reasonable grounds will depend on the circumstances, but it is
expected that satisfying this obligation would generally require
the credit provider to have positively verified the
individual’s age. This requirement is consistent with
the policy of not including personal information in the credit
reporting system of individuals who are under 18, except in certain
defined circumstances (see subclauses (4) and (5) and clause 20C
which sets out the circumstances in which a credit reporting body
can collect this information). The credit reporting body to
which the disclosure is to be made must be an agency or an
organisation or small business operator that has an Australian
link. The term Australian link is defined by section 5B of
the Act. This provision operates to limit the disclosure of
credit information to Australian ‘credit reporting
bodies’. In addition, the credit information that is
disclosed must meet the requirements of subclause (3). The
note indicates that, even if these conditions are met, clause 21F
provides additional limitations on the disclosure of credit
information during a ban period (established under clause 20K)
where an individual is the victim of fraud, including identity
fraud.

Subclause
(3) sets out the conditions with which credit information must
comply before it can be disclosed to a credit reporting agency
under subclause (2). These conditions are based on the
restrictions set out in clause 20C that apply to the collection of
credit information by credit reporting bodies.

Paragraph
(a) states that the credit information must not relate to an act,
omission, matter or thing that occurred or existed before the
individual turned 18. However, subclause (4) permits
identification information about an individual to be
disclosed. Clause 20C states that a credit reporting body can
only collect identification information where it already holds, or
collects at the same time, consumer credit liability information
about the individual. In addition, subclause (5) permits
consumer credit liability information about an individual under 18
to be disclosed where the credit has not been terminated or
otherwise ceased to be in force before the individual turned
18. The issue of whether credit has been terminated or
otherwise ceases to be in force will depend on the terms of the
consumer credit. Depending
on the type of consumer credit, in some circumstances the
individual may continue to have access to the credit after repaying
the credit. This means that the consumer credit would not be
taken as terminated until the individual no longer had access to
the credit. Credit providers should clearly indicate to
consumers the circumstances in which their credit will be
terminated, and whether the consumer must take any action in
addition to making the final repayment to terminate the
credit. There may be other circumstances in which the credit
is terminated - for example, by a serious credit
infringement. The registered CR code will provide additional
guidance on determining the day on which consumer credit is
terminated and the other circumstances in which the consumer credit
ceases to be in force

Paragraph
(b) says that any credit information that relates to consumer or
commercial credit must relate to credit that is or has been
provided, or applied for, in Australia. Information about the
foreign credit activities of individuals cannot be included in the
credit reporting system.

Paragraph
(c) establishes certain restrictions around credit information that
is repayment history information. It can only be disclosed
if: the credit provider is a ‘licensee’ (and hence
subject to responsible lending obligations under the National
Consumer Credit Protection Act); the consumer credit liability
information to which the repayment history information relates must
also be, or have been previously, disclosed to the credit reporting
body; and the credit provider must comply with any additional
requirements in relation to the disclosure of the information
prescribed by regulations. It is expected that regulations
will deal with matters such as how to determine whether a payment
is a monthly payment and other relevant matters.

Paragraph
(d) permits disclosure of credit information that is default
information only where the credit provider has given the individual
written notice stating the intention to disclose the default
information to a credit reporting body, and a reasonable period has
passed since the giving of the notice. The purpose of this
additional notification requirement is to ensure that credit
providers have done everything reasonable to make individuals aware
of the proposed default listing. It would also provide
individuals with one final opportunity to make overdue
payments. The reasonable period that must elapse between the
giving of the notice and disclosing the default information to a
credit reporting body will depend on the circumstances, and it is
expected that additional guidance around the appropriate timeframes
will be provided in the registered CR code.

Subclause
(6) requires credit providers to make a written note of any
disclosure of credit information under this provision. This
is consistent with the policy of requiring credit reporting bodies
to make written notes of disclosures. Certain other Acts set
out circumstances in which credit reporting bodies must not make
notes (see the note to clause 20E). A similar note has not
been inserted in this provision because there are no Acts which
currently set out circumstances in which credit providers must not
make a written note of disclosures. If any such provisions
were enacted in another Act in the future, then that other Act
would operate to limit the making of written notes by credit
providers. The purpose of requiring notes is to provide a
record of all disclosures. To be an effective record, the
written note should identify the date of the disclosure, the entity
to which the credit reporting information was disclosed, the type
of disclosure (including the specific provision under which the
disclosure was authorised), the type of credit information that was
disclosed (where this is not clear from the type of disclosure),
and any other relevant information. Written notes should be
sufficiently associated with the credit reporting information of
the relevant individual to ensure that individuals are able to
obtain access to all written notes relating to their credit
information. Written notes do not themselves fall within the
definition of credit information or credit reporting
information. However, as written notes would be personal
information about an individual, a credit provider that is an APP
entity will be subject to the general obligations set out in the
APPs in relation to the written notes of disclosures. A
breach of this provision attracts a civil penalty of 500 penalty
units.

Subclause
(7) deals with the interaction of this provision with the
APPs. It makes clear that APPs 6 and 8 (which deal with use
and disclosure and cross-border disclosures) do not apply to a
credit provider that is an APP entity in relation to the disclosure
of credit information to a credit reporting body. However,
these APPs will continue to apply to a credit provider that is an
APP entity in relation to any other personal information the credit
provider may hold (except for credit eligibility information, which
is dealt with in Subdivision C). In this regard, it is
important to note that any personal information held by a credit
provider that is an APP entity will always be subject to the
protections available under the Privacy Act. In general
terms, the APPs will apply to the information, unless specific
kinds of personal information are subject to different rules set
out in the credit reporting provisions.

Clause
21E Payment information must be disclosed
to a credit reporting body

Clause 21E
requires credit providers to disclose certain information about the
payment of overdue credit obligations. The purpose of this
provision is to ensure that a person who subsequently makes an
overdue payment that has been listed as a default has that payment
recorded along with the relevant default as part of the
individual’s credit information. The payment
information (which is a defined term) may be disclosed to credit
providers (as permitted by Division 2) and will be available to
assist credit providers to make decisions about an
individual’s credit worthiness.

Where a
credit provider has disclosed default information about an
individual to a credit reporting body, and after the default
information was disclosed the amount of the overdue payment was
paid, the credit provider must disclose that payment information to
the credit reporting body within a reasonable period after the
payment is made. It is expected that the registered CR code
will provide guidance to assist in determining what is a reasonable
period. Failure to comply with this provision is subject to a
civil penalty of 500 penalty units.

Clause
21F Limitation on the disclosure of credit
information during a ban period

Clause 21F
is linked with provisions in Division 2 to provide a thorough
response to identity fraud issues. Clause 20K establishes a
mechanism for individuals to deal with potential fraud, including
identity fraud, by controlling the disclosure of their credit
reporting information in certain circumstances. Clause 20Y
provides for the destruction of credit reporting information by the
credit reporting body in cases of fraud.

Clause 21F
limits the disclosure by credit providers of credit information to
credit reporting bodies during a ban period. If a credit
provider is unable to obtain access to an individual’s credit
reporting information to assess an application for credit due to a
ban period but proceeds to provide credit to a person purporting to
be the individual, the credit provider cannot list any of the
information about that credit as part of the individual’s
credit information. This is intended to ensure that credit
providers take reasonable steps to identify a person during a ban
period.

Subclause
(1) sets out the circumstances in which this provision will
operate. The provision applies if: a credit reporting body
holds information about an individual; a credit provider requests
disclosure of the individual’s information to assess an
application for consumer credit made by the individual or someone
purporting to be the individual; the information cannot be
disclosed because a ban period is in place; and during the ban
period, consumer credit is provided to the individual or the person
purporting to be the individual.

A credit
reporting body is not prohibited from telling a credit provider
whether or not it holds credit reporting information about an
individual, nor is it prohibited from telling a credit provider
that a ban period is in place in relation to an individual.
The purpose of these provisions is not to prevent a credit provider
from knowing about the ban period, but to prevent access to the
individual’s credit reporting information without the express
consent of the individual.

If
subclause (1) is satisfied, subclause (2) provides that the credit
provider must not disclose to a credit reporting body any credit
information that relates to consumer credit. Breach of this
prohibition is subject to a civil penalty of 2000 penalty
units.

Subclause
(3) states that the prohibition in subclause (2) does not apply if
the credit provider has taken such steps as are reasonable in the
circumstances to verify the identity of the individual to whom the
provider intends to provide the credit. The reasonable steps
will depend on the circumstances in each case.

It is
expected that further practical details around the operation of the
provisions dealing with ban periods in cases of fraud would be
covered in the registered CR code. Matters that may be
covered include: notifying the individual of the effect of the ban
period and the circumstances in which the individual should be
notified that the ban period is ending; the extension of the ban
period; notification of credit providers of the ban period; and
other relevant matters.

Subdivision
D - Dealing with credit eligibility information
etc.

Subdivision
C sets out rules for credit providers in relation to credit
eligibility information. This category of information
incorporates the credit reporting information that credit providers
collect from the credit reporting system as well as any CP
derived information. Rules to deal with information that
credit providers disclose to credit reporting bodies into
the credit reporting system are set out in Subdivision
B.

This
Subdivision contains rules on uses and disclosures of credit
eligibility information by credit providers, including rules that
provide for disclosures to specific kinds of recipients. This
Subdivision also contains a rule providing for notification of the
individual following a refusal of an application for consumer
credit based wholly or partly on credit eligibility information
about certain persons.

Clause
21G Use or disclosure of credit eligibility
information

Clause 21G sets out the general rules for the use or
disclosure of credit eligibility information by credit
providers. This provision is based on the obligations and
structure of APP 6, but has been significantly modified to apply
specifically to credit providers and credit eligibility
information. Clause 21G is similar in structure to clause
20E, which deals with use and disclosure by credit reporting bodies
of credit reporting information.

Subclause (1) establishes a general prohibition on the use
or disclosure of credit eligibility information about an individual
by a credit provider. Breach of this prohibition is subject
to a civil penalty of 2,000 penalty units. Subclauses (2) and
(3) provide exceptions for this general prohibition.

Subclause (2) sets out the permitted uses, which are
exceptions to the prohibition on using credit eligibility
information in subclause (1). Paragraph (2)(a) provides that
a credit provider is permitted to use credit eligibility
information if the use is for a ‘consumer credit related
purpose’ in relation to the individual. ‘Consumer
credit related purpose’ is a defined term and means that the
use must be for the purpose of assessing an application for
consumer credit made by the individual, or collecting payments that
are overdue in relation to consumer credit provided to the
individual.

Paragraph (2)(b) provides that a ‘permitted CP
use’ in relation to an individual is allowed, and the
permitted CP uses are set out in clause 21H. Paragraph (2)(c)
permits the use of credit eligibility information in relation to
serious credit infringements. The provider must believe on
reasonable grounds that the individual has committed a serious
credit infringement and the use of the information must be in
connection with the infringement. For example, the use may be
to try to obtain up-dated identification information to check
whether the individual has moved to a new address to allow the
provider to try to contact the individual again.

Paragraphs (2)(d) and (e) also permit a credit provider to
use credit eligibility information if the use is required or
authorised by or under Australian law or a court or tribunal order,
or the use is prescribed in the regulations. The
regulation-making power provides a means to permit any currently
unforeseen but necessary uses that may arise in the future.
Additional uses will be permitted where the use can be shown to be
in the public interest as well as being for the benefit of the
individuals whose credit eligibility information would be
used. Appropriate public consultation with all relevant
stakeholders would be undertaken when considering whether
regulations prescribing any additional uses should be
prepared.

Unlike APP 6, no secondary uses of credit eligibility
information by a credit provider are permitted. Only those
uses expressly provided in subclause (2) and clause 21H are
permitted.

Subclause (3) sets out the permitted disclosures, which are
exceptions to the prohibition on disclosing credit eligibility
information in subclause (1). Paragraph (3)(a) provides that
a credit provider does not breach this provision if the disclosure
is a ‘permitted CP disclosure’ in relation to the
individual. ‘Permitted CP disclosure’ has the
meaning given by clauses 21J to 21N, which set out a range of
circumstances for permitted disclosures.

The remaining paragraphs of subclause (3) set out specific
permitted disclosures. Paragraph (3)(b) permits disclosures
of credit eligibility information to a related body corporate of
the credit provider and the related body corporate must have an
‘Australian link’. Paragraph (3)(c) permits
disclosures to a person who manages credit provided by the credit
provider. The credit manager must not be acting as an agent
of the credit provider and must have an ‘Australian
link’ to ensure that the credit manager is not a foreign
entity. ‘Agents of credit providers’ is a concept
defined in clause 6H, which treats agents as being the credit
provider in the circumstances defined. A credit manager is
intended to be someone who is not acting as the credit
provider’s agent but instead provides a service to the credit
provider to manage credit accounts. The kinds of services
that may be performed by a credit manager will depend on the
relationship with the credit provider and decisions made by the
credit provider about how it will manage its credit accounts.
Recognizing that circumstances will vary, the term credit manager
has not been defined.

Paragraph (3)(d) permits disclosure of credit eligibility
information to another credit provider that has an
‘Australian link’ and to enforcement bodies in relation
to ‘serious credit infringements’. Before making
the disclosure the credit provider must believe on reasonable
grounds that the individual has committed a ‘serious credit
infringement’. This provision will assist enforcement
bodies in the investigation of alleged serious credit
infringements. It will also permit credit providers to alert
other providers that they reasonably believe the individual has
committed a serious credit infringement.

Paragraph (3)(e) permits disclosures to external dispute
resolution schemes that have been recognised by the Commissioner
and a credit provider or credit reporting body is a member of the
scheme. This provision is intended to ensure that external
dispute resolution schemes can access relevant credit eligibility
information, where appropriate, to assist in the resolution of
complaints made by individuals about their personal information in
the credit reporting system.

Paragraphs (3)(f) and (g) also permit a credit provider to
disclose credit eligibility information if the disclosure is
required or authorised by or under Australian law or a court or
tribunal order, or the disclosure is prescribed in the
regulations. The regulation-making power provides a means to
permit any currently unforeseen but necessary disclosures that may
arise in the future. As stated above in relation to the
regulation-making power for uses of credit eligibility information,
this power would be exercised where the disclosure is in the public
interest, for the benefit of the individual, and following
appropriate public consultation.

Subclauses (4) and (5) impose additional limitations where
the proposed disclosure is credit eligibility information that
includes, or was derived from, repayment history information.
Subclause (4) prohibits the disclosure of such information.
The civil penalty for breach of subclause (4) is 2,000 penalty
units. Subclause (5) provides for exceptions to this
prohibition in specified circumstances. Paragraph (5)(a)
provides that this information can be disclosed if the recipient is
another credit provider who is a ‘licensee’. This
is intended to ensure that repayment history information, or credit
eligibility information that is derived from repayment history
information, can only be disclosed to credit providers who are
subject to responsible lending obligations under the National
Consumer Credit Protection Act. This restriction extends to
credit eligibility information that was derived from repayment
history information because it is considered appropriate that
credit providers who cannot access repayment history information
should not be able to indirectly obtain the benefit of that
information through the possibility that credit providers could
provide credit eligibility information that incorporates repayment
history information in another form. Paragraph (5)(b)
provides an exception where the information is disclosed under
clause 21L, which permits the disclosure of credit eligibility
information to mortgage insurers in specified circumstances.
As mortgage insurers are underwriting the credit risk taken on by
the credit provider in providing consumer credit, it is important
that the mortgage insurers have access to the same information
available to the credit provider to whom they are offering
insurance. Where this information includes repayment history
information, a credit provider can disclose this information to the
mortgage insurer for the mortgage insurance purpose as specified in
clause 21L. A mortgage insurer is prohibited from making any
further disclosure of that information by clause 22C (except where
that disclosure may be required or authorised by or under an
Australian law or court or tribunal order). Paragraph (5)(c)
permits disclosure of the information to an enforcement body for
the purposes of paragraph (3)(d) (where the disclosure is related
to a serious credit infringement). Paragraph (5)(d) permits
disclosure for the purposes of paragraph (3)(e) (to a recognised
external dispute resolution scheme) and for the purposes of
paragraph (3)(f) (where the disclosure is required or authorised by
or under an Australian law or a court or tribunal
order).

Subclause (6) requires credit reporting bodies to make a
written note of any use or disclosure of credit eligibility
information under this provision. Because subclause (2)
includes permitted CP uses under clause 21H and subclause (3)
includes permitted CP disclosures under clauses 21J to 21N, this
means that written notes will need to be made of all these uses and
disclosures. The purpose of requiring notes is to provide a
record of all uses and disclosures of credit eligibility
information. To be an effective record, the written note
should identify the date of the use or disclosure, the type of use
or disclosure (including the specific provision under which the
disclosure is authorised), the entity to which the credit
eligibility information was disclosed, the type of credit
eligibility information that was disclosed (where this is not clear
from the type of disclosure), and any other relevant information
(for example, that an individual’s express consent to a
disclosure under clause 21J was not in writing because of the
circumstances set out in subclause 21J(2)). In relation to
identifying the type of credit eligibility information that was
disclosed, a reader of the note should be able to determine whether
all credit eligibility information relating to the individual was
disclosed, and if not, what types of credit eligibility information
were disclosed (for example, repayment history information).
Written notes should be sufficiently associated with the credit
eligibility information of the relevant individual to ensure that
individuals are able to obtain access to all written notes relating
to their credit eligibility information. Written notes do not
themselves fall within the definition of credit information or
credit eligibility information. However, as written notes
would be personal information about an individual, a credit
provider that is an APP entity will be subject to the general
obligations set out in the APPs in relation to the written notes of
uses and disclosures. A breach of this provision attracts a
civil penalty of 500 penalty units.

Subclauses (7) and (8) both deal with the interaction of
this provision with the APPs. Subclause (7) makes clear that
APPs 6 and 8 (which deal with use and disclosure and cross-border
disclosures) do not apply to a credit provider that is an APP
entity in relation to credit eligibility information.
Subclause (8) provides that, where the credit eligibility
information is a government related identifier of the individual
(for example, a driver’s licence number), APP 9.2 (which
deals with the use or disclosure of such identifiers) does not
apply. However, these APPs will continue to apply to the
credit provider in relation to any other personal information the
credit provider may hold (except for credit information, which is
dealt with above in Subdivision B). In this regard, it is
important to note that any personal information held by a credit
provider that is an APP entity will always be subject to the
protections available under the Privacy Act. In general
terms, the APPs will apply to the information if the credit
provider is an APP entity, unless specific kinds of personal
information are subject to different rules set out in the credit
reporting provisions.

Clause
21H Permitted CP uses in relation to
individuals

This provision sets out the circumstances in which a use of
credit eligibility information by a credit provider will be a
‘permitted CP use’ authorised by paragraph
135(2)(b). This provision refers to the permitted disclosures
of credit reporting information by a credit reporting body pursuant
to the table in subclause 20F(1). It is important to remember
the data flows in the credit reporting system and the terms used to
describe that data at different points in the system. Credit
reporting information about an individual disclosed by a credit
reporting body will become credit eligibility information when the
recipient credit provider collects it. ‘Credit
eligibility information’ is held by credit providers and is
defined as credit reporting information or any ‘CP derived
information’ about the individual.

The provision states that a use of credit eligibility
information is permitted where the relevant credit reporting
information was disclosed to the credit provider under the
provision specified in column 1 of the table (that is, a provision
from the table in subclause 20F(1) that permitted a credit
reporting body to disclose the information) for the specified
purpose. In these circumstances, the use set out in column 2
of the table is permitted by the credit provider. The table lists
six permitted CP uses.

Item 1 of the table provides that a disclosure of credit
reporting information for the purpose of assessing an application
for consumer credit made by the individual to the credit provider
can be used for a ‘securitisation related purpose’ of
the credit provider, or the information can be used for the
internal management purposes of the provider that are directly
related to the provision or management of consumer credit by the
provider. Essentially, the information that has been
disclosed under this item can already be used under paragraph
21G(2)(a) for a ‘consumer credit related purpose’, so
this item permits these two additional uses to be made of this
information. While item 6 also deals with uses for
securitisation related purposes, item 6 applies to a different
recipient. In the case of item 1, the recipient is the credit
provider who has assessed an application for credit and that credit
provider is now engaging in securitisation activities. Item 6
of the table, discussed further below, applies to securitisation
entities that are, for the purposes of that activity, defined as a
credit provider. The other permitted purpose for which the
information may be used under item 1 is internal management
purposes of the credit provider that are directly related to the
provision or management of consumer credit by the provider.
This will allow the provider to use the information for the
purposes of deriving ‘CP derived information’ about the
individual, to manage its relationship with the individual as well
as to manage its credit business as a whole. This would
permit the credit provider to use the information for data
management purposes, for example, or other activities necessary to
run the consumer credit business of the provider.

Item 2 of the table permits information that has been
disclosed to the credit provider for a particular ‘commercial
credit related purpose’ to be used for that purpose.
This means the information can only be used for the purpose of
assessing an application for commercial credit or to collect
overdue payments in relation to commercial credit provided to the
individual. The table in subclause 20F(1) requires that the
individual must have already expressly consented to the disclosure
by the credit reporting body of the credit reporting information to
the credit provider for this commercial credit purpose. The
requirement for express consent ensures that the individual is
aware that their credit information will be used for a non-consumer
credit purpose.

Item 3 of the table also refers to disclosures of credit
reporting information made for a commercial credit purpose, but in
this case the disclosure must be made for the specific purpose of
assessing an application for commercial credit made by the
individual to the provider, and the permitted use is not for
assessing that application (which is dealt with in item 2 above)
but instead is for the internal management purposes of the provider
that are directly related to the provision or management of
commercial credit by the provider. This means that the
information can be used by the credit provider for deriving
information about the individual in relation to their commercial
credit (similar to the category of information called ‘CP
derived information’, but that category refers to consumer
credit). In this context derived information may mean a
credit score in relation to the individual’s commercial
credit worthiness. Item 3 is limited to credit reporting
information disclosed for the purposes of assessing the application
and does not permit the use of information disclosed for the
purpose of collecting overdue payments for internal management
purposes in relation to commercial credit. This limitation
ensures consistency with the permitted uses in the consumer credit
context. Credit eligibility information which was disclosed
for the purpose of assessing an application for commercial credit
made by a person to the credit provider could also be used for
other internal management purposes, such as data management.
Once again, the table in subclause 20F(1) requires that the
individual must have already expressly consented to the disclosure
by the credit reporting body of the credit reporting information to
the credit provider.

Item 4 of the table provides that information that has been
disclosed to the credit provider for a ‘credit guarantee
purpose’ of the provider in relation to the individual can
only (if directly related to the provision or management of
commercial credit by the provider) be used for that ‘credit
guarantee purpose’ or for the internal management purposes of
the provider directly related to the provision or management of any
credit by the provider. This information can only be
disclosed by the credit reporting body once the individual has
expressly consented, in writing, to the use of the information for
the credit guarantee purpose. ‘Credit guarantee
purpose’ is a defined term, and means the purpose of
assessing whether to accept the individual as a guarantor in
relation to credit provided to, or applied for by, another
person. In this context, it is the individual who is
proposing to be the guarantor whose information is being
disclosed. This information can be used for internal
management purposes directly related to any credit provided by the
provider - both commercial credit and consumer
credit.

Item 5 of the table permits information that has been
disclosed to a current credit provider of an individual (that is, a
credit provider who provides consumer credit to the individual that
has not been terminated or otherwise ceased to be in force) to be
used for the purpose of assisting the individual to avoid
defaulting on his or her consumer credit obligations to the
provider. When read with item 5 in the table at
subclause 20F(1) this provision has the effect of limiting the
use of any information disclosed to assisting the individual to
avoid defaulting on the individual’s consumer credit
obligations to that credit provider. It would
not be consistent with the purpose of the credit reporting system
for the provider to obtain regular disclosures from the credit
reporting body simply to monitor or check an individual’s
overall credit worthiness or behaviour

Item 6 of the table permits information that has been
disclosed to a credit provider for a securitisation related purpose
of the credit provider in relation to the individual to be used for
that particular securitisation purpose. A
‘securitisation related purpose’ refers to assessing
the risk of purchasing, by means of a securitisation arrangement,
credit that has been provided to the individual or to a person to
whom the individual is or proposes to be a guarantor. The
definition of the term also refers to assessing the risk in
undertaking credit enhancement in relation to credit that has been
provided to an individual (or a person to whom the individual is or
may be a guarantor) through a securitisation
arrangement.

Clause
21J Permitted CP disclosures between
credit providers

This provision sets out the circumstances in which a
disclosure of credit eligibility information between credit
providers will be a ‘permitted CP disclosure’
authorised by paragraph 21G(3)(a). Four circumstances are
identified where a credit provider can disclose information to
another credit provider - where the individual consents;
where the disclosure is to the agent of a credit provider; in
relation to certain securitisation arrangements; and where the
disclosure is in relation to mortgage credit secured by the same
property - and these circumstances are subject to the
specific requirements detailed in this provision. The credit
provider who collects credit eligibility information will be
subject to the any conditions set out in this provision in relation
to that disclosure as well as any applicable general conditions
imposed upon credit providers in relation to the use of credit
eligibility information as set out in subclause 21G(2).
Similarly, both the disclosing and the using credit providers will
be required to make written notes of their disclosures and uses
consistent with the obligation imposed by subclause
21G(6).

Subclause (1) permits a disclosure of credit eligibility
information in relation to an individual to another credit provider
where the disclosure is for a particular purpose, the credit
provider that is the recipient of the information has an Australian
link, and the individual has expressly consented to the disclosure
of the information to the recipient for the particular
purpose. The requirement that the recipient have an
Australian link is consistent with the restriction of the credit
reporting system to Australian entities and ensures that the credit
provider is not a foreign entity. The particular purpose of
the disclosure will be limited by the permitted uses of a credit
provider set out in subclause 21G(2). The requirement for
express consent is subject to the rules set out in
subclause (2). The express consent of the individual to
the disclosure for the particular purpose must be given in
writing. The only exception to the writing requirement is
where the disclosure is for the purpose of assessing an application
for consumer or commercial credit made by the individual and the
individual did not make the application for credit in
writing. This provision does not mean that the
individual does not need to provide consent where the application
was not in writing. Instead, it means that where the
individual’s application was not in writing the
individual’s express consent also does not need to be in
writing. However, the individual must still provide express
consent to the disclosure. The consent of the individual
(whether in writing or not) must be given to the credit provider
who is to disclose the information or to the credit provider who
will be the recipient of the information. It is not necessary
for the consent to be given to both credit providers.
Circumstances where the disclosing credit provider would be given
the consent may include where the consent is not in writing.
This would enable the disclosing credit provider to confirm that
the individual has provided express consent to the disclosure for
the particular purpose.

Subclause (1) would not affect any practices credit
providers may have in place to share other personal information,
with appropriate consent from the individual, outside the credit
reporting system where such practices are consistent with the
obligations imposed by the APPs on credit providers in their
capacity as APP entities. However, the information sharing
practices must comply with the requirements of this provision to
the extent that any such information sharing practices include
dealing with credit eligibility information (which, by operation of
the definitions, includes ‘credit information’
and’ CP derived information’).

Subclause (3) permits a credit provider that is acting as
an agent to disclose credit eligibility information about an
individual back to the credit provider that is the principal in the
agency relationship. The credit provider making the
disclosure under this provision must be acting as an agent of
another credit provider that has an Australian link. The
requirement that the credit provider have an Australian link is
consistent with the restriction of the credit reporting system to
Australian entities and ensures that the credit provider is not a
foreign entity. The credit provider making the disclosure
under this provision must be a credit provider in the terms set out
in subclause 6H(1), which sets out the rules for determining
whether an organization or small business operator is an agent of a
credit provider. The final element in this provision that
must be satisfied is that the credit provider (that is, the agent)
must be making the disclosure in their capacity as an agent of the
principal credit provider. This provision recognises that
there are different organizational structures in the credit
industry and in some instances an entity is in fact a credit
provider only because it is acting as the agent of a credit
provider. In such situations, the agent must be able to
disclose information to the principal in the agent/principal
relationship. Such disclosures would otherwise be prohibited
without this provision.

Subclause (4) permits a credit provider that is acting as a
securitisation entity to disclose credit eligibility information
about an individual back to the original credit provider that
provided the credit to which the securitisation arrangements
relate. This provision permits certain disclosures to occur
that are necessary due to securitisation relationships between
entities and credit providers. Such disclosures would
otherwise be prohibited without this provision. The credit
provider making the disclosure must be a credit provider under
subclause 6J(1), which deals with securitisation entities that are
taken to be credit providers for the purposes of performing tasks
necessary for a securitisation arrangement. The original
credit provider of the credit (or application for credit, as the
case may be) to which the securitisation relates must have an
Australian link. The requirement that the credit provider
have an Australian link is consistent with the restriction of the
credit reporting system to Australian entities and ensures that the
credit provider is not a foreign entity. The original credit
provider cannot be a credit provider by the operation of subclause
6J(1). This provision is intended to break the chain of
relationships between entities. An entity that is only a
credit provider because it is performing securitisation related
tasks cannot then form a securitisation relationship with another
entity and then claim that it is the original credit
provider. If any such relationships are entered, they will
not satisfy the requirements for this provision to allow the
disclosure of credit eligibility information. The credit
eligibility information that is the subject of the disclosure must
be disclosed to the original credit provider or another credit
provider that subclause 6J(1) defines as a credit provider in
relation to that credit (and in this case, the other credit
provider must have an Australian link. The last requirement
in this rule that must be satisfied for the disclosure to be
permitted is that the disclosure of the information must be
reasonably necessary for a securitisation purpose as set out in
subparagraphs (4)(e)(i) and (ii). The end result of this
provision is that it permits disclosures between entities that are
involved in a securitisation arrangement, as that relationship is
defined in subclause 6J(1).

Subclause (5) permits a credit provider to disclose credit
eligibility information about an individual to another credit
provider that has provided mortgage credit to the individual
secured by the same real property. However, the disclosure is
only permitted where the information relates to overdue
payments. As with the other provisions, the disclosure can
only be to another credit provider that has an Australian
link. The requirement that the credit provider have an
Australian link is consistent with the restriction of the credit
reporting system to Australian entities and ensures that the credit
provider is not a foreign entity. Both credit providers must
have provided mortgage credit in relation to which the same real
property forms all or part of the security. The individual
must be at least 60 days overdue in making a payment in relation to
the mortgage credit provided by either provider. The final
element of this rule that must be satisfied is that the information
must be disclosed for the purpose of either provider deciding what
action to take in relation to the overdue payment.

Clause
21K Permitted CP disclosures relating to
guarantees etc.

This provision sets out the circumstances in which a
disclosure of credit eligibility information relating to guarantees
will be a ‘permitted CP disclosure’ authorised by
paragraph 21G(3)(a). This provision deals with disclosures of
information about an individual in two situations: where the
disclosure is to a person who is considering whether to offer to
act as a guarantor for the person; and where the disclosure is to a
person who is already a guarantor of the credit in relation to that
individual for certain purposes in relation to that
guarantee.

Subclauses
(1) and (2) deal with disclosures to a person who is considering
whether to act as a guarantor for an individual. Subclause
(1) provides that a disclosure of credit eligibility information
about an individual by a credit provider is a permitted disclosure
if the credit provider has provided credit to the individual or the
individual has applied to the provider for credit. The
disclosure must be to a person for the purpose of that person
considering whether to offer to act as a guarantor in relation to
credit or to offer property as security for the credit. The
person (that is, the potential guarantor) must have an Australian
link. The requirement that the person have an Australian link is
consistent with the restriction of the credit reporting system to
Australia. In addition, the individual whose information is
to be disclosed must expressly consent to the disclosure to the
person for that purpose. Subclause (2) provides that the
express consent must be given in writing unless the application for
the credit that has been provided was not made in writing, or the
application for the credit that is being considered was not made in
writing. In these circumstances, express consent is still
required but the consent does not need to be in writing.
Disclosures in the circumstances prescribed are intended to provide
the prospective guarantor with sufficient information to make an
informed decision about the individual’s credit worthiness
and whether to provide a guarantee for the individual.

Subclauses (3) and (4) deal with disclosures to an existing
guarantor where the individual either: expressly consents to the
disclosure; or the disclosure is for a purpose related to the
enforcement, or proposed enforcement, of the guarantee.
Subclause (3) requires the disclosure to be to a person who is a
guarantor in relation to credit provided by the provider to the
individual, or who has provided property as security for the
credit. The person must have an Australian link, consistent
with the restriction of the credit reporting system to
Australia. In addition, the individual must either expressly
consent to the disclosure, or (where the person is a guarantor in
relation to the credit) the disclosure is for a purpose related to
the enforcement, or proposed enforcement, of the guarantee.
Subclause (4) provides that the express consent must be given in
writing unless the application for the credit that was provided was
not made in writing. In these circumstances, express consent
is still required but the consent does not need to be in
writing. Express consent is not required where the disclosure
is related to the enforcement or proposed enforcement of the
guarantee.

Clause
21L Permitted CP disclosures to mortgage
insurers

This provision sets out the circumstances in which a
disclosure of credit eligibility information to mortgage insurers
will be a ‘permitted CP disclosure’ authorised by
paragraph 21G(3)(a). Mortgage insurers require access to
certain credit eligibility information to assess their risk in
underwriting credit, and for this purpose it is also necessary for
the mortgage insurer to have access to information that allows the
mortgage insurer to assess the risk of the credit provider that is
providing the mortgage credit, and the risk of individuals
defaulting on the credit or being unable to meet their commitments
under a guarantee.

Clause 21L
permits a disclosure by a credit provider of credit eligibility
information about an individual if it is to a mortgage insurer that
has an Australian link, consistent with the restriction of the credit reporting system to
Australia. The disclosure must be for a ‘mortgage
insurance purpose’ of the insurer in relation to the
individual or for any purpose arising under a contract for mortgage
insurance that has been entered into between the credit provider
and the mortgage insurer. A ‘mortgage insurance
purpose’ is defined and, in summary, means for the purpose of
assessing: whether to provide insurance to a credit provider in
relation to mortgage credit; the risk of an individual defaulting
on mortgage credit in relation to which insurance has been provided
to the provider; or the risk of the individual being unable to meet
a liability under a guarantee provided in relation to the mortgage
credit of another person.

Mortgage insurers are subject to further obligations in
Division 4 in relation to their privacy policies (clause 22A),
notification requirements (clause 22B), and any further use and
disclosure of information they have collected (clause
22C).

Clause
21M Permitted CP disclosures to debt
collectors

This provision sets out the circumstances in which a
disclosure of credit eligibility information to debt collectors
will be a ‘permitted CP disclosure’ authorised by
paragraph 21G(3)(a). Disclosures to debt collectors are
permitted only in limited circumstances and the information that
can be disclosed is also restricted.

Subclause
(1) provides that the disclosure must be to a debt collector
- that is, a person or body that carries on a business or
undertaking that involves the collection of debts on behalf of
others. That person or body must have an Australian link,
consistent with the restriction of the credit reporting system to
Australia. The disclosure of the information must be for a
purpose directly related to the actual collection of payments that
are overdue in relation to consumer credit provided by the provider
to the individual, or commercial credit provided by the provider to
a person. However, the kinds of information that can be
disclosed are restricted to those set out in subclause
(2).

Subclause (2) restricts the kinds of credit eligibility
information about an individual that can be disclosed to
information that is: ‘identification information’;
‘court proceedings information’; ‘personal
insolvency information’; or, where the disclosure is in
relation to overdue consumer credit payments, ‘default
information’. However, default information can only be
disclosed if the credit provider does not hold, or has not
previously held, payment information about the individual that
relates to that overdue payment.

Debt collectors that are APP entities must comply with the
obligations set out in the APPs in relation to the handling of any
information disclosed under this provision. Debt collectors
that are a small business for the purposes of section 6D of the Act
may not be subject to the APPs, depending on the circumstances of
that debt collector and the conditions set out in section
6D.

Clause
21N Permitted CP disclosures to other
recipients

This provision sets out the circumstances in which a
disclosure of credit eligibility information to other recipients
will be a ‘permitted CP disclosure’ authorised by
paragraph 21G(3)(a). The other recipients to which
disclosures may be permitted are mortgage credit assistance schemes
and certain entities in relation to the assignment of debts owed to
the credit provider.